Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 20211129.exe

Overview

General Information

Sample Name:20211129.exe
Analysis ID:532897
MD5:672587fb175264ef8b45a2b0857f273f
SHA1:ab7c2f5edf572d5b28d7da50f548d73d49f92b71
SHA256:c00b66ef61df2012b269bca3e60b301478641292948f1cac579096603ad67f98
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
JA3 SSL client fingerprint seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • 20211129.exe (PID: 8840 cmdline: "C:\Users\user\Desktop\20211129.exe" MD5: 672587FB175264EF8B45A2B0857F273F)
    • CasPol.exe (PID: 3264 cmdline: "C:\Users\user\Desktop\20211129.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 3248 cmdline: "C:\Users\user\Desktop\20211129.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • svchost.exe (PID: 3264 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=down"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000000.785162355.0000000000E10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Svchost ProcessShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\20211129.exe" , ParentImage: C:\Users\user\Desktop\20211129.exe, ParentProcessId: 8840, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, ProcessId: 3264
    Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\20211129.exe" , ParentImage: C:\Users\user\Desktop\20211129.exe, ParentProcessId: 8840, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, ProcessId: 3264

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 0000000A.00000000.785162355.0000000000E10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=down"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: 20211129.exeVirustotal: Detection: 36%Perma Link
    Source: 20211129.exeMetadefender: Detection: 21%Perma Link
    Source: 20211129.exeReversingLabs: Detection: 51%
    Source: 20211129.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49757 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49921 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50004 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50255 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50326 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50442 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50575 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50677 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50706 version: TLS 1.2

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=down
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50735
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50734
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50736
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50738
    Source: unknownNetwork traffic detected: HTTP traffic on port 50726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50693 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51147 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50211 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50452 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50177 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50746
    Source: unknownNetwork traffic detected: HTTP traffic on port 50578 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50745
    Source: unknownNetwork traffic detected: HTTP traffic on port 50853 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50748
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50747
    Source: unknownNetwork traffic detected: HTTP traffic on port 50440 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50749
    Source: unknownNetwork traffic detected: HTTP traffic on port 51135 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50740
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50741
    Source: unknownNetwork traffic detected: HTTP traffic on port 50325 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50600 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50967 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50292 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50755
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50754
    Source: unknownNetwork traffic detected: HTTP traffic on port 51008 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50757
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50756
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50759
    Source: unknownNetwork traffic detected: HTTP traffic on port 50980 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50758
    Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50189 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50464 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50751
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50750
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50752
    Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50439 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50766
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50768
    Source: unknownNetwork traffic detected: HTTP traffic on port 50280 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50767
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50760
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50762
    Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50761
    Source: unknownNetwork traffic detected: HTTP traffic on port 50337 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50612 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50764
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50763
    Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51045 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50566 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50841 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50153 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50235 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50510 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51090 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50795 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50382 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50979 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
    Source: unknownNetwork traffic detected: HTTP traffic on port 51192 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
    Source: unknownNetwork traffic detected: HTTP traffic on port 51077 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
    Source: unknownNetwork traffic detected: HTTP traffic on port 50783 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50877 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50591 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50301 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51160 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50700
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50702
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50701
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
    Source: unknownNetwork traffic detected: HTTP traffic on port 50656 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50704
    Source: unknownNetwork traffic detected: HTTP traffic on port 50931 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50703
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50706
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50705
    Source: unknownNetwork traffic detected: HTTP traffic on port 51065 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50247 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50522 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50370 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50407 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51089 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50708
    Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50707
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50711
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50710
    Source: unknownNetwork traffic detected: HTTP traffic on port 51033 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
    Source: unknownNetwork traffic detected: HTTP traffic on port 50313 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
    Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50712
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50717
    Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50716
    Source: unknownNetwork traffic detected: HTTP traffic on port 51159 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51103 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50719
    Source: unknownNetwork traffic detected: HTTP traffic on port 50259 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50534 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50718
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50496 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 50865 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownNetwork traffic detected: HTTP traffic on port 50771 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50722
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50723
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50727
    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50720
    Source: unknownNetwork traffic detected: HTTP traffic on port 51021 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50992 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50729
    Source: unknownNetwork traffic detected: HTTP traffic on port 50369 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50644 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50337
    Source: unknownNetwork traffic detected: HTTP traffic on port 50420 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50336
    Source: unknownNetwork traffic detected: HTTP traffic on port 51201 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50339
    Source: unknownNetwork traffic detected: HTTP traffic on port 50386 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51115 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50338
    Source: unknownNetwork traffic detected: HTTP traffic on port 50546 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51196 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50116 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50331
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50330
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50333
    Source: unknownNetwork traffic detected: HTTP traffic on port 50632 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50332
    Source: unknownNetwork traffic detected: HTTP traffic on port 50873 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50335
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50334
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51070 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50305 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50999 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50348
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50347
    Source: unknownNetwork traffic detected: HTTP traffic on port 51082 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50349
    Source: unknownNetwork traffic detected: HTTP traffic on port 50505 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50935 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50340
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50342
    Source: unknownNetwork traffic detected: HTTP traffic on port 50987 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50341
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50344
    Source: unknownNetwork traffic detected: HTTP traffic on port 50243 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50343
    Source: unknownNetwork traffic detected: HTTP traffic on port 51001 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50346
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50345
    Source: unknownNetwork traffic detected: HTTP traffic on port 50673 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50128 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51184 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50197 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50885 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50359
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51207
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50358
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51208
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51205
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51206
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51209
    Source: unknownNetwork traffic detected: HTTP traffic on port 50804 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50351
    Source: unknownNetwork traffic detected: HTTP traffic on port 50317 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50350
    Source: unknownNetwork traffic detected: HTTP traffic on port 50558 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51200
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50353
    Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50352
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50355
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51203
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50354
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51204
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50357
    Source: unknownNetwork traffic detected: HTTP traffic on port 50374 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51201
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50356
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51202
    Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50861 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50360
    Source: unknownNetwork traffic detected: HTTP traffic on port 50620 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50419 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50369
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
    Source: unknownNetwork traffic detected: HTTP traffic on port 50255 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
    Source: unknownNetwork traffic detected: HTTP traffic on port 50685 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50362
    Source: unknownNetwork traffic detected: HTTP traffic on port 51172 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50361
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50364
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50363
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50366
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50365
    Source: unknownNetwork traffic detected: HTTP traffic on port 50897 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50368
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50367
    Source: unknownNetwork traffic detected: HTTP traffic on port 50923 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50371
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50370
    Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51127 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50777
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50776
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50779
    Source: unknownNetwork traffic detected: HTTP traffic on port 50911 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51140 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50778
    Source: unknownNetwork traffic detected: HTTP traffic on port 50571 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50771
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50770
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50773
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50772
    Source: unknownNetwork traffic detected: HTTP traffic on port 51025 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50775
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50774
    Source: unknownNetwork traffic detected: HTTP traffic on port 50350 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50943 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50267 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50697 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50607 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50362 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50304
    Source: unknownNetwork traffic detected: HTTP traffic on port 50444 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50788
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50303
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50787
    Source: unknownNetwork traffic detected: HTTP traffic on port 51057 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50306
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50305
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50789
    Source: unknownNetwork traffic detected: HTTP traffic on port 50173 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50308
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50307
    Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50309
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50780
    Source: unknownNetwork traffic detected: HTTP traffic on port 50702 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50781
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50300
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50784
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50783
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50302
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50786
    Source: unknownNetwork traffic detected: HTTP traffic on port 51139 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50301
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50785
    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50816 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50141 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50476 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50315
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50799
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50314
    Source: unknownNetwork traffic detected: HTTP traffic on port 50791 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50798
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50317
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50316
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50319
    Source: unknownNetwork traffic detected: HTTP traffic on port 50955 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50318
    Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50279 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50791
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50790
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50793
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50311
    Source: unknownNetwork traffic detected: HTTP traffic on port 50394 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50619 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50795
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50310
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50313
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50797
    Source: unknownNetwork traffic detected: HTTP traffic on port 50223 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50312
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50796
    Source: unknownNetwork traffic detected: HTTP traffic on port 51069 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50349 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51013 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50326
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50325
    Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50328
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50327
    Source: unknownNetwork traffic detected: HTTP traffic on port 50828 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50329
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50320
    Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50322
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50321
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50324
    Source: unknownNetwork traffic detected: HTTP traffic on port 50488 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50323
    Source: unknownNetwork traffic detected: HTTP traffic on port 50746 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50432 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50514 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50185 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50296
    Source: unknownNetwork traffic detected: HTTP traffic on port 50915 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51144
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50295
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51145
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50298
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51142
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50297
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51143
    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51148
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50299
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51149
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51146
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51147
    Source: unknownNetwork traffic detected: HTTP traffic on port 51176 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51151
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51152
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51150
    Source: unknownNetwork traffic detected: HTTP traffic on port 50389 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50400 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51164 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50148 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51155
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51156
    Source: unknownNetwork traffic detected: HTTP traffic on port 50377 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50652 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51153
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51154
    Source: unknownNetwork traffic detected: HTTP traffic on port 51061 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51159
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51157
    Source: unknownNetwork traffic detected: HTTP traffic on port 50240 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51158
    Source: unknownNetwork traffic detected: HTTP traffic on port 50755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51162
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51163
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51160
    Source: unknownNetwork traffic detected: HTTP traffic on port 50537 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51161
    Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50308 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50227 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50252 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50502 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50550 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51166
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51167
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51164
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51165
    Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50390 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51152 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51168
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51169
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51170
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51173
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51174
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51171
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51172
    Source: unknownNetwork traffic detected: HTTP traffic on port 50903 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51107 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50549 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50824 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51177
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51178
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51175
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51176
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51179
    Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50481 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51180
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51181
    Source: unknownNetwork traffic detected: HTTP traffic on port 50996 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50136 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 51073 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51184
    Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51185
    Source: unknownNetwork traffic detected: HTTP traffic on port 51209 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51182
    Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51183
    Source: unknownNetwork traffic detected: HTTP traffic on port 50940 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50665 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50365 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50640 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51108
    Source: unknownNetwork traffic detected: HTTP traffic on port 50193 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50259
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51109
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51106
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51107
    Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 50424 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50252
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51100
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50251
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51101
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50254
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50253
    Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50256
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: 20211129.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: 20211129.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.962830691.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5674801137.00000118BEA1F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.962830691.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5674334277.00000118BEA00000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: 20211129.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: 20211129.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: 20211129.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: 20211129.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: svchost.exe, 00000027.00000003.4361518755.00000118BE35D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4360848351.00000118BE378000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673923044.00000118BE37A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5671194226.00000118BE300000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdKeyInf
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdng
    Source: svchost.exe, 00000027.00000003.4355511851.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdpen.or
    Source: svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdjA1BX
    Source: svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds/SO
    Source: svchost.exe, 00000027.00000003.4355511851.00000118BE329000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: http://go.microsoft.c
    Source: 20211129.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: 20211129.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: svchost.exe, 00000027.00000002.5666537365.00000118BDAA6000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5665866140.00000118BDA92000.00000004.00000001.sdmpString found in binary or memory: http://passport.net/tb
    Source: svchost.exe, 00000027.00000002.5671194226.00000118BE300000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
    Source: svchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.o
    Source: svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    Source: svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
    Source: svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
    Source: svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc2
    Source: svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
    Source: svchost.exe, 00000027.00000003.4355597128.00000118BE32F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
    Source: svchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
    Source: svchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    Source: 20211129.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/msangcwam
    Source: CasPol.exe, 0000000A.00000003.1245237921.00000000010C4000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1235512662.00000000010C4000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240307477.00000000010C4000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1249727247.00000000010C4000.00000004.00000001.sdmpString found in binary or memory: https://csp.witW
    Source: CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-
    Source: CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1309123731.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1285034721.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1294482817.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1290004038.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1324159238.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1319109794.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1280598742.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1304263968.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1271148801.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1328862998.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1275540782.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1299016244.000000000109C000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314180225.000000000109C000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/R
    Source: CasPol.exe, 0000000A.00000003.1471912478.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405878031.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1435277415.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515613484.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475927064.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557773256.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1583474082.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678626722.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1541063441.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661943690.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1570043634.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674832691.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/W
    Source: CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1324008051.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1280442157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1275431820.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298906833.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1271037655.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1328749137.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/j
    Source: CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
    Source: CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
    Source: CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/&0
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/)Z
    Source: CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/.azu)Z
    Source: CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/.com
    Source: CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/0
    Source: CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/4
    Source: CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/801120000Z
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/IZ
    Source: CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/YZ
    Source: CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/_1
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/a
    Source: CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/aZ
    Source: CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/ertificates
    Source: CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/heal
    Source: CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/iZ
    Source: CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/ificate
    Source: CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/l-in
    Source: CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/qZ
    Source: CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/r
    Source: CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD(
    Source: CasPol.exe, 0000000A.00000003.1385780309.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405878031.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381685382.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1422472544.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426791531.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1414270516.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410036457.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD(r-
    Source: CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1373464714.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1369407006.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD3B
    Source: CasPol.exe, 0000000A.00000003.1385780309.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381685382.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1373464714.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD:443
    Source: CasPol.exe, 0000000A.00000003.1640818515.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450982432.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471912478.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385780309.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405878031.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1435277415.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1294350967.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381685382.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1599289353.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515613484.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1422472544.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670853971.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1624218048.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1324008051.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1520029377.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475927064.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557773256.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591820878.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1583474082.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657814417.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1480115278.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497780153.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1620088017.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1607560343.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484697681.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678626722.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426791531.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1414270516.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1443338747.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1459209172.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1524389793.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1304018285.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1632397681.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653666892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1628310372.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410036457.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501722392.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1431190859.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565829450.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1541063441.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1280442157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682869220.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1528330711.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615920315.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1579082727.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1506077137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1439205630.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1309005834.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1636623757.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314043990.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1275431820.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1455089519.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298906833.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661943690.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553939270.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1511243331.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1489096652.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1545299311.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467672892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1666224767.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1574648097.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1373464714.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1603347399.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536917799.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493523456.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357222979.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1549676896.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1289856797.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463618569.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561742856.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361737440.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1587526429.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1570043634.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1271037655.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611736393.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1328749137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1369407006.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1649612157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284916411.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674832691.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318982024.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1645127464.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532622621.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD;C
    Source: CasPol.exe, 0000000A.00000003.1405878031.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1435277415.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1422472544.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426791531.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1414270516.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1443338747.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410036457.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1431190859.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1439205630.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDDr
    Source: CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqD
    Source: CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDB
    Source: CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDQ
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1356614138.00000000010F2000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDa
    Source: CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDes1
    Source: CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDq
    Source: CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDry
    Source: CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1356614138.00000000010F2000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDry1
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDGM6H2AxKQlqUpqDryA
    Source: CasPol.exe, 0000000A.00000003.1640818515.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450982432.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471912478.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385780309.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405878031.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1435277415.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1294350967.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381685382.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1599289353.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515613484.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1422472544.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670853971.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1624218048.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1324008051.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1520029377.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475927064.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557773256.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591820878.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1583474082.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657814417.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1480115278.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497780153.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1620088017.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1607560343.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484697681.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678626722.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426791531.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1414270516.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1443338747.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1459209172.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1524389793.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1304018285.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1632397681.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653666892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1628310372.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410036457.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501722392.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1431190859.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565829450.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1541063441.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1280442157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682869220.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1528330711.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615920315.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1579082727.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1506077137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1439205630.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1309005834.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1636623757.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314043990.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1275431820.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1455089519.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298906833.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661943690.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553939270.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1511243331.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1489096652.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1545299311.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467672892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1666224767.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1574648097.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1373464714.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1603347399.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536917799.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493523456.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357222979.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1549676896.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1289856797.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463618569.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561742856.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361737440.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1587526429.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1570043634.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1271037655.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611736393.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1328749137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1369407006.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1649612157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284916411.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674832691.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318982024.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1645127464.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532622621.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDYB
    Source: CasPol.exe, 0000000A.00000003.1640818515.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450982432.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471912478.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385780309.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405878031.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1435277415.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1294350967.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1422472544.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670853971.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1324008051.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475927064.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557773256.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1583474082.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657814417.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1480115278.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497780153.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678626722.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426791531.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1414270516.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1459209172.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1524389793.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1304018285.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653666892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410036457.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501722392.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1431190859.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565829450.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1541063441.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682869220.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1528330711.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1579082727.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1506077137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1439205630.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1309005834.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1636623757.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314043990.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1455089519.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298906833.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661943690.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553939270.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1489096652.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1545299311.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467672892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1666224767.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1574648097.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1373464714.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536917799.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493523456.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1549676896.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1289856797.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463618569.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561742856.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361737440.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1570043634.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1328749137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1369407006.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1649612157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284916411.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674832691.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318982024.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1645127464.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532622621.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqD_
    Source: CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDa
    Source: CasPol.exe, 0000000A.00000003.1599289353.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515613484.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670853971.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557773256.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591820878.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1583474082.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657814417.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678626722.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1304018285.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565829450.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1541063441.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682869220.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1579082727.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1309005834.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314043990.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661943690.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553939270.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1511243331.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1545299311.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1666224767.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1574648097.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1603347399.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1549676896.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561742856.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1587526429.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1570043634.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674832691.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDc
    Source: CasPol.exe, 0000000A.00000003.1471912478.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381685382.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1599289353.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1422472544.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1624218048.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1324008051.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1520029377.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475927064.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657814417.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1480115278.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1620088017.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1607560343.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1397261524.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1414270516.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1443338747.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401791766.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1632397681.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653666892.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1628310372.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410036457.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501722392.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1280442157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615920315.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1506077137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1439205630.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1636623757.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314043990.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1275431820.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1455089519.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298906833.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661943690.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1511243331.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1489096652.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1666224767.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1603347399.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493523456.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357222979.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361737440.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611736393.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1328749137.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1649612157.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284916411.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318982024.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDe
    Source: CasPol.exe, 0000000A.00000003.1385780309.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381685382.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1393153534.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1377532537.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1373464714.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361737440.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1369407006.0000000001086000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1o0C1BGIxW2cDwY9GAGM6H2AxKQlqUpqDtr
    Source: CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uk1
    Source: CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/yZ
    Source: svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.liUTF-16p
    Source: svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.liUTF-8p
    Source: svchost.exe, 00000027.00000002.5665866140.00000118BDA92000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
    Source: svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf9524
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
    Source: svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354443309.00000118BE30E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502er
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354510338.00000118BE30E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354443309.00000118BE30E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354510338.00000118BE30E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354443309.00000118BE30E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
    Source: svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
    Source: svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfy.srf
    Source: svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfp
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5671630093.00000118BE313000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5666537365.00000118BDAA6000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5668106356.00000118BDAE6000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/RST2.srf
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/didtou.srf
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAs
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
    Source: svchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
    Source: svchost.exe, 00000027.00000003.4354510338.00000118BE30E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354443309.00000118BE30E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf1
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354510338.00000118BE30E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354132081.00000118BE36B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354443309.00000118BE30E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
    Source: svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805025
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
    Source: svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
    Source: svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354510338.00000118BE30E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4354443309.00000118BE30E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
    Source: svchost.exe, 00000027.00000002.5662917899.00000118BDA2A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpp
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
    Source: svchost.exe, 00000027.00000002.5663989122.00000118BDA5E000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
    Source: svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
    Source: svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
    Source: svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/retention.srf
    Source: svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
    Source: 20211129.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownDNS traffic detected: queries for: drive.google.com
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49757 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49921 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50004 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50255 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50326 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50442 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50575 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50677 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:50706 version: TLS 1.2

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: 20211129.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 20211129.exe, 00000003.00000002.1442806374.0000000000425000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe
    Source: 20211129.exe, 00000003.00000002.1444799627.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametofrontskrig.exeFE2XD vs 20211129.exe
    Source: 20211129.exeBinary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe
    Source: 20211129.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\20211129.exeSection loaded: edgegdi.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
    Source: 20211129.exeStatic PE information: invalid certificate
    Source: 20211129.exeVirustotal: Detection: 36%
    Source: 20211129.exeMetadefender: Detection: 21%
    Source: 20211129.exeReversingLabs: Detection: 51%
    Source: 20211129.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\20211129.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\20211129.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: unknownProcess created: C:\Users\user\Desktop\20211129.exe "C:\Users\user\Desktop\20211129.exe"
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\20211129.exe"
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\20211129.exe"
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\20211129.exe"
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\20211129.exe"
    Source: C:\Users\user\Desktop\20211129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:304:WilStaging_02
    Source: C:\Users\user\Desktop\20211129.exeFile created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372Jump to behavior
    Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@7/0@1/2
    Source: Window RecorderWindow detected: More than 3 window changes detected

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 0000000A.00000000.785162355.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\20211129.exeCode function: 3_2_0040C11C pushfd ; iretd
    Source: C:\Users\user\Desktop\20211129.exeCode function: 3_2_022A4438 push ebx; ret
    Source: C:\Users\user\Desktop\20211129.exeCode function: 3_2_022A14D7 push cs; ret
    Source: C:\Users\user\Desktop\20211129.exeCode function: 3_2_022A4A47 push eax; iretd
    Source: C:\Users\user\Desktop\20211129.exeCode function: 3_2_022A6F1C push cs; retf
    Source: C:\Users\user\Desktop\20211129.exeCode function: 3_2_022A1F66 push ds; retf
    Source: C:\Users\user\Desktop\20211129.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\20211129.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\20211129.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\20211129.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Users\user\Desktop\20211129.exeFile opened: C:\Program Files\qga\qga.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: 20211129.exe, 00000003.00000002.1444458752.00000000022C0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
    Source: 20211129.exe, 00000003.00000002.1444458752.00000000022C0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Source: 20211129.exe, 00000003.00000002.1443313649.000000000058D000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 1429
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2116Thread sleep time: -14290000s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\20211129.exeSystem information queried: ModuleInformation
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: vmicvss
    Source: CasPol.exe, 0000000A.00000003.1575085382.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1545535897.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1455298521.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1382008669.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493794998.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1620358188.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1349412675.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1410310004.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1314342925.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1406197145.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1294806837.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1607792712.00000000010B6000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1260755235.00000000010B6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: CasPol.exe, 0000000A.00000003.1587254059.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493287473.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1294078129.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1323734545.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284696703.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627969560.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426490414.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544994268.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569666757.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665996171.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1599016325.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497540009.000000000105A000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1524117891.000000000105A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
    Source: 20211129.exe, 00000003.00000002.1444458752.00000000022C0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
    Source: 20211129.exe, 00000003.00000002.1443313649.000000000058D000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: 20211129.exe, 00000003.00000002.1444458752.00000000022C0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll
    Source: 20211129.exe, 00000003.00000002.1446177525.0000000002E09000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

    Anti Debugging:

    barindex
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\20211129.exeThread information set: HideFromDebugger
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread information set: HideFromDebugger
    Source: C:\Users\user\Desktop\20211129.exeProcess queried: DebugPort
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\20211129.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: E10000
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\20211129.exe"
    Source: C:\Users\user\Desktop\20211129.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\20211129.exe"

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection111Masquerading1OS Credential DumpingSecurity Software Discovery311Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion22LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection111Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532897 Sample: 20211129.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 96 21 prda.aadg.msidentity.com 2->21 23 drive.google.com 2->23 29 Potential malicious icon found 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 4 other signatures 2->35 8 20211129.exe 1 2 2->8         started        signatures3 process4 signatures5 37 Writes to foreign memory regions 8->37 39 Tries to detect Any.run 8->39 41 Hides threads from debuggers 8->41 11 CasPol.exe 13 8->11         started        15 svchost.exe 2 1 8->15         started        17 CasPol.exe 8->17         started        process6 dnsIp7 25 drive.google.com 142.250.186.46, 443, 49757, 49758 GOOGLEUS United States 11->25 43 Tries to detect Any.run 11->43 45 Hides threads from debuggers 11->45 19 conhost.exe 11->19         started        27 192.168.11.1 unknown unknown 15->27 signatures8 process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    20211129.exe37%VirustotalBrowse
    20211129.exe22%MetadefenderBrowse
    20211129.exe51%ReversingLabsWin32.Trojan.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    3.0.20211129.exe.400000.0.unpack100%AviraHEUR/AGEN.1140082Download File
    3.2.20211129.exe.400000.0.unpack100%AviraHEUR/AGEN.1140082Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://schemas.mi0%Avira URL Cloudsafe
    https://csp.withgoogle.com/csp/drive-0%Avira URL Cloudsafe
    http://schemas.xmlsoap.o0%VirustotalBrowse
    http://schemas.xmlsoap.o0%Avira URL Cloudsafe
    https://login.liUTF-16p0%Avira URL Cloudsafe
    https://csp.witW0%Avira URL Cloudsafe
    https://login.liUTF-8p0%Avira URL Cloudsafe
    https://csp.withgoogle.com/csp/report-to/gse_l9ocaq0%Avira URL Cloudsafe
    http://passport.net/tb0%Avira URL Cloudsafe
    http://go.microsoft.c0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    drive.google.com
    		142.250.186.46
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.misvchost.exe, 00000027.00000002.5671194226.00000118BE300000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdngsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
        		high
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdpen.orsvchost.exe, 00000027.00000003.4355511851.00000118BE329000.00000004.00000001.sdmpfalse
          		high
          https://csp.withgoogle.com/csp/drive-CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://drive.google.com/rCasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
            		high
            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.osvchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                		high
                https://drive.google.com/)ZCasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmpfalse
                  		high
                  http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 00000027.00000003.4355511851.00000118BE329000.00000004.00000001.sdmpfalse
                    		high
                    https://drive.google.com/&0CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmpfalse
                        		high
                        https://drive.google.com/CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                		high
                                https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                  		high
                                  https://login.liUTF-16psvchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://csp.witWCasPol.exe, 0000000A.00000003.1245237921.00000000010C4000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1235512662.00000000010C4000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240307477.00000000010C4000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1249727247.00000000010C4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://drive.google.com/IZCasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmpfalse
                                    		high
                                    https://drive.google.com/_1CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpfalse
                                      		high
                                      https://signup.live.com/signup.aspxsvchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmpfalse
                                        		high
                                        https://drive.google.com/ificateCasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpfalse
                                          		high
                                          https://drive.google.com/l-inCasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmpfalse
                                            		high
                                            https://login.liUTF-8psvchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdjA1BXsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
                                              		high
                                              https://drive.google.com/aCasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpfalse
                                                		high
                                                https://csp.withgoogle.com/csp/report-to/gse_l9ocaqCasPol.exe, 0000000A.00000003.1418352024.0000000001086000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://drive.google.com/YZCasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://drive.google.com/4CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://drive.google.com/.comCasPol.exe, 0000000A.00000003.974991671.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.966839566.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.971031097.00000000010CC000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/sc2svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://drive.google.com/801120000ZCasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.995236945.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1010716464.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1003053908.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1006517768.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1011265015.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.999183510.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://account.live.com/msangcwamsvchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353134865.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353708531.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353769959.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://drive.google.com/0CasPol.exe, 0000000A.00000003.1527857016.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1510657164.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023624193.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1109694801.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1091688645.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1015256028.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1268876484.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1505569442.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1426150096.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1132319024.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1023082679.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1619484442.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1682381449.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1202477250.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1264597229.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1678149840.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1014770209.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1212051911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1644459673.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1352793488.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1357639560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1557308992.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1114305795.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1532058795.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1479391954.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1372784824.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1454565833.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1118624280.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1190083274.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1279280833.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1185285443.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1540615749.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1086601706.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1430669472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1648907599.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1216907576.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1497289752.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1606978796.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1193918419.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1361102617.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1475449879.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1627681457.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1274351968.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1582904472.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1409413564.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1207819508.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1665676560.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1591336893.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1536189550.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1081634438.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1657380503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1565309917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1198211269.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1105731206.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1018963773.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1417886997.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1569375143.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1450369102.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1123766425.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1392469836.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1463023789.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1515079655.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1548932002.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1661429363.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1635987637.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1376915309.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1519463475.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1611057852.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1493046735.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1640170520.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1368677046.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1631872589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1019494575.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1484096503.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1523795072.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1488542370.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1602788021.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1598697517.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1421846496.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1578441267.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1623570355.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1127552496.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1653018957.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1095566911.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1385240343.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1396478693.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1442624764.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1467145009.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1544680068.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1381071817.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1413663648.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1458497204.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1471409119.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1401003589.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1348905890.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1674355136.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1573878793.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1438744917.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1615162201.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1561191050.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1405317356.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1553415909.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1501252057.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1670398082.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1434704829.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://drive.google.com/aZCasPol.exe, 0000000A.00000003.1344896982.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1141979978.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1341103706.00000000010CA000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1145826906.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1136806148.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://drive.google.com/uk1CasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://passport.net/tbsvchost.exe, 00000027.00000002.5666537365.00000118BDAA6000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5665866140.00000118BDA92000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://drive.google.com/iZCasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000027.00000003.4355597128.00000118BE32F000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://drive.google.com/qZCasPol.exe, 0000000A.00000003.1158900796.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1058483650.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1044760815.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1035845178.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1041017961.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1322854504.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1050367165.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1302695710.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1068299561.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1036648245.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1163935670.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1054082705.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1150889197.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1154757957.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1288821429.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1327868719.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1284172953.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1031443916.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027916036.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1076842959.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1298357350.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1040407031.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1063020451.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1332465736.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1027232661.00000000010C5000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1072241228.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1318340346.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1032133493.00000000010C9000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1045678730.00000000010C9000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://drive.google.com/.azu)ZCasPol.exe, 0000000A.00000003.978934999.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.983199877.00000000010CB000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://drive.google.com/yZCasPol.exe, 0000000A.00000003.1221748613.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1236218340.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1308063541.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1245349375.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1259095337.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1168429485.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1336674563.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1231569686.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1226274825.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1250281092.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1176662662.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1181053067.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1255088244.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1100278554.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1293517947.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1240425727.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1312764031.00000000010CC000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.1172215076.00000000010CC000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://drive.google.com/ertificatesCasPol.exe, 0000000A.00000003.1586919356.00000000010C5000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdKeyInfsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000027.00000002.5673537429.00000118BE36D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361009575.00000118BE36C000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://drive.google.com/healCasPol.exe, 0000000A.00000003.987201140.00000000010CB000.00000004.00000001.sdmp, CasPol.exe, 0000000A.00000003.991137278.00000000010CB000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://go.microsoft.csvchost.exe, 00000027.00000002.5663320824.00000118BDA40000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353180100.00000118BE32C000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 00000027.00000002.5664283353.00000118BDA64000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673006439.00000118BE351000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4363878178.00000118BE350000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5672558936.00000118BE341000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353462698.00000118BE33B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4353884268.00000118BE340000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 00000027.00000003.4361518755.00000118BE35D000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4360848351.00000118BE378000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5673923044.00000118BE37A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.5671194226.00000118BE300000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.4361277833.00000118BE340000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds/SOsvchost.exe, 00000027.00000003.4361669974.00000118BE329000.00000004.00000001.sdmpfalse
                                                                                                                  		high

                                                                                                                  Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  142.250.186.46
                                                                                                                  		drive.google.comUnited States
                                                                                                                  		15169GOOGLEUSfalse

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  192.168.11.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                  Analysis ID:532897
                                                                                                                  Start date:02.12.2021
                                                                                                                  Start time:19:45:00
                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                  Overall analysis duration:0h 14m 0s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:light
                                                                                                                  Sample file name:20211129.exe
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                  Run name:Suspected Instruction Hammering
                                                                                                                  Number of analysed new started processes analysed:42
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • HDC enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal96.rans.troj.evad.winEXE@7/0@1/2
                                                                                                                  EGA Information:Failed
                                                                                                                  HDC Information:Failed
                                                                                                                  HCA Information:Failed
                                                                                                                  Cookbook Comments:
                                                                                                                  • Adjust boot time
                                                                                                                  • Enable AMSI
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  Warnings:
                                                                                                                  Show All
                                                                                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, BdeUISrv.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, MusNotificationUx.exe, IntelPTTEKRecertification.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.82.19.171, 20.190.159.138, 20.190.159.136, 40.126.31.6, 40.126.31.1, 40.126.31.139, 40.126.31.143, 40.126.31.141, 40.126.31.137
                                                                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, www.tm.a.prd.aadg.akadns.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, login.live.com, evoke-windowsservices-tas.msedge.net, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  19:47:47Task SchedulerRun new task: Intel PTT EK Recertification path: "C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKRecertification.exe"
                                                                                                                  19:48:23API Interceptor1429x Sleep call for process: CasPol.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  No context

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASN

                                                                                                                  No context

                                                                                                                  JA3 Fingerprints

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                  37f463bf4616ecd445d4a1937da06e19CTvjbMY3DK.dllGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  CTvjbMY3DK.dllGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  FT A75619637369.vbsGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  OSJlMxel05.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  fel.com.htmlGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  S6RqSs1LsE.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  4RXRHeZIG8.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  kEwILWnlG5.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  kEwILWnlG5.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  SecuriteInfo.com.W32.AIDetect.malware2.32340.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  mUYEdn5OC0.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  new offers885111832.docxGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  _0.htmlGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  lifehacks_6582318243.docxGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  counter-1248368226.xlsGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  ukmxWblFcs.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  Narudzba.0953635637.PDF.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  Orden de compra.exeGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46
                                                                                                                  EmployeeAssessment.htmlGet hashmaliciousBrowse
                                                                                                                  • 142.250.186.46

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  No created / dropped files found

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):5.14253569878617
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                                                                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:20211129.exe
                                                                                                                  File size:156816
                                                                                                                  MD5:672587fb175264ef8b45a2b0857f273f
                                                                                                                  SHA1:ab7c2f5edf572d5b28d7da50f548d73d49f92b71
                                                                                                                  SHA256:c00b66ef61df2012b269bca3e60b301478641292948f1cac579096603ad67f98
                                                                                                                  SHA512:67d7444cb44d8b9be7ed2301e64a2368ac21f370b98cbdcdcff895ad35d66e097372c3b50eb5906ef8acc942316a6fe117522988e433660989abaa9caed9076f
                                                                                                                  SSDEEP:1536:BUHEm7YNXO6rJiEqawzLDnzf4YIOBFKrf2m6+TFy2rsm1uQBH:BgEm7c+wk7rLDBKH
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...*D.X................. ...0...............0....@................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:20047c7c70f0e004

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x401888
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:true
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                  DLL Characteristics:
                                                                                                                  Time Stamp:0x58F4442A [Mon Apr 17 04:27:22 2017 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:b209c8634733456633136bfedc71877a

                                                                                                                  Authenticode Signature

                                                                                                                  Signature Valid:false
                                                                                                                  Signature Issuer:E=affaldsproblemernes@Sisi.tr, CN=Topmargenernes6, OU=Discoplacenta4, O=Pearlings4, L=Tryptone, S=Hydrencephalus4, C=CC
                                                                                                                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                  Error Number:-2146762487
                                                                                                                  Not Before, Not After
                                                                                                                  • 01/12/2021 11:02:36 01/12/2022 11:02:36
                                                                                                                  Subject Chain
                                                                                                                  • E=affaldsproblemernes@Sisi.tr, CN=Topmargenernes6, OU=Discoplacenta4, O=Pearlings4, L=Tryptone, S=Hydrencephalus4, C=CC
                                                                                                                  Version:3
                                                                                                                  Thumbprint MD5:A09281A46CB4122164B30FB05611CD3F
                                                                                                                  Thumbprint SHA-1:75FB258FE049C5BD134BB76066831E5C0A29A387
                                                                                                                  Thumbprint SHA-256:8502EA39172E6385A457D26EB0847AE9378028A76658050B270AB02D86DCDB01
                                                                                                                  Serial:00

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  push 004019B8h
                                                                                                                  call 00007F53F480AB25h
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  xor byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  cmp byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  pop es
                                                                                                                  sahf
                                                                                                                  xor byte ptr [edx+ecx-42B8711Dh], ah
                                                                                                                  adc bl, ch
                                                                                                                  test al, 3Fh
                                                                                                                  inc esp
                                                                                                                  add ch, 00000000h
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [ecx], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax+eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  inc edx
                                                                                                                  push ebp
                                                                                                                  push edx
                                                                                                                  dec ecx
                                                                                                                  inc ecx
                                                                                                                  dec esp
                                                                                                                  add byte ptr [ebx], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  dec esp
                                                                                                                  xor dword ptr [eax], eax
                                                                                                                  add byte ptr [8DDC4E59h], dh
                                                                                                                  call far 6341h : 6083488Fh
                                                                                                                  jbe 00007F53F480AAD4h
                                                                                                                  insb
                                                                                                                  in eax, 19h
                                                                                                                  cld
                                                                                                                  call 00007F53D609C69Ch
                                                                                                                  dec esi
                                                                                                                  mov eax, 22D1BED9h
                                                                                                                  dec eax
                                                                                                                  cmp cl, 0000003Ah
                                                                                                                  dec edi
                                                                                                                  lodsd
                                                                                                                  xor ebx, dword ptr [ecx-48EE309Ah]
                                                                                                                  or al, 00h
                                                                                                                  stosb
                                                                                                                  add byte ptr [eax-2Dh], ah
                                                                                                                  xchg eax, ebx
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [eax], al
                                                                                                                  dec esi
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [ecx+00h], cl
                                                                                                                  add byte ptr [eax], al
                                                                                                                  add byte ptr [edi], al
                                                                                                                  add byte ptr [edi+55h], al
                                                                                                                  dec esp
                                                                                                                  dec esi
                                                                                                                  inc ecx
                                                                                                                  push edx
                                                                                                                  inc ebp
                                                                                                                  add byte ptr [53000B01h], cl
                                                                                                                  imul esi, dword ptr [edx+69h], 64h
                                                                                                                  outsb
                                                                                                                  jnc 00007F53F480AB6Ah
                                                                                                                  add byte ptr [ecx], bl
                                                                                                                  add dword ptr [eax], eax

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x219c40x28.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x970.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x250000x1490
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x234.text
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x210b40x22000False0.360753676471data5.21959711886IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x230000x122c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                  .rsrc0x250000x9700x1000False0.174072265625data2.04745900646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                  RT_ICON0x258400x130data
                                                                                                                  RT_ICON0x255580x2e8data
                                                                                                                  RT_ICON0x254300x128GLS_BINARY_LSB_FIRST
                                                                                                                  RT_GROUP_ICON0x254000x30data
                                                                                                                  RT_VERSION0x251500x2b0dataChineseTaiwan

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  MSVBVM60.DLL__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                                                                                  Version Infos

                                                                                                                  DescriptionData
                                                                                                                  Translation0x0404 0x04b0
                                                                                                                  LegalCopyrightUnion
                                                                                                                  InternalNametofrontskrig
                                                                                                                  FileVersion4.00
                                                                                                                  CompanyNameUnion
                                                                                                                  LegalTrademarksUnion
                                                                                                                  ProductNameUnion
                                                                                                                  ProductVersion4.00
                                                                                                                  FileDescriptionUnion
                                                                                                                  OriginalFilenametofrontskrig.exe

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  ChineseTaiwan

                                                                                                                  Network Behavior

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 2, 2021 19:48:24.107168913 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.107240915 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.107471943 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.135466099 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.135520935 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.188224077 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.188416958 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.191164017 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.191474915 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.300977945 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.301043987 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.301722050 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.301882029 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.312534094 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.355856895 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.465198040 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.465404034 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.465461016 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.465610027 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.465663910 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.465817928 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.519547939 CET49757443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.519603968 CET44349757142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.621584892 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.621711969 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.621953011 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.622162104 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.622210026 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.657419920 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.657604933 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.657963037 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.658174038 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.658196926 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.819461107 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.819690943 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.819781065 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.819976091 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:24.819997072 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.820132017 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.820259094 CET49758443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:24.820316076 CET44349758142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.027652979 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.027713060 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.027848005 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.031230927 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.031253099 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.061547995 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.061871052 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.062201023 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.062377930 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.062391043 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.232577085 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.232835054 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.232891083 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.232945919 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.233001947 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.233186960 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.233254910 CET49759443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.233299017 CET44349759142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.433942080 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.434017897 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.434164047 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.434551001 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.434608936 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.470277071 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.470743895 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.471107006 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.471259117 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.471489906 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.625329971 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.625571966 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.625612974 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.625660896 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.625766039 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.625884056 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.625998020 CET49760443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.626032114 CET44349760142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.839915991 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.839957952 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.840162039 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.840471029 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.840481043 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.871100903 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:25.871223927 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.871501923 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.871687889 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:25.871716976 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:26.024780989 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:26.024949074 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.025008917 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:26.025063038 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:26.025149107 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.025218964 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.025372982 CET49761443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.025424957 CET44349761142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:26.230694056 CET49762443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.230813980 CET44349762142.250.186.46192.168.11.20
                                                                                                                  Dec 2, 2021 19:48:26.231122971 CET49762443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.231430054 CET49762443192.168.11.20142.250.186.46
                                                                                                                  Dec 2, 2021 19:48:26.231489897 CET44349762142.250.186.46192.168.11.20

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                  Dec 2, 2021 19:48:24.089648008 CET192.168.11.201.1.1.10xb7e4Standard query (0)drive.google.comA (IP address)IN (0x0001)

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                  Dec 2, 2021 19:48:24.099092007 CET1.1.1.1192.168.11.200xb7e4No error (0)drive.google.com142.250.186.46A (IP address)IN (0x0001)
                                                                                                                  Dec 2, 2021 19:54:03.931977034 CET1.1.1.1192.168.11.200x5aeeNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                                                  Code Manipulations

                                                                                                                  Statistics

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  Analysis Process: 20211129.exe PID: 8840 Parent PID: 7092

                                                                                                                  General

                                                                                                                  Start time:19:47:46
                                                                                                                  Start date:02/12/2021
                                                                                                                  Path:C:\Users\user\Desktop\20211129.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\20211129.exe"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:156816 bytes
                                                                                                                  MD5 hash:672587FB175264EF8B45A2B0857F273F
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:Visual Basic
                                                                                                                  Reputation:low

                                                                                                                  Analysis Process: CasPol.exe PID: 3264 Parent PID: 8840

                                                                                                                  General

                                                                                                                  Start time:19:48:04
                                                                                                                  Start date:02/12/2021
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\Desktop\20211129.exe"
                                                                                                                  Imagebase:0x4c0000
                                                                                                                  File size:108664 bytes
                                                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: CasPol.exe PID: 3248 Parent PID: 8840

                                                                                                                  General

                                                                                                                  Start time:19:48:05
                                                                                                                  Start date:02/12/2021
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\20211129.exe"
                                                                                                                  Imagebase:0xa30000
                                                                                                                  File size:108664 bytes
                                                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000000.785162355.0000000000E10000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: conhost.exe PID: 3200 Parent PID: 3248

                                                                                                                  General

                                                                                                                  Start time:19:48:05
                                                                                                                  Start date:02/12/2021
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff65f6a0000
                                                                                                                  File size:875008 bytes
                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate

                                                                                                                  Analysis Process: svchost.exe PID: 3264 Parent PID: 956

                                                                                                                  General

                                                                                                                  Start time:19:54:02
                                                                                                                  Start date:02/12/2021
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                  Imagebase:0x7ff78c080000
                                                                                                                  File size:57360 bytes
                                                                                                                  MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate

                                                                                                                  Disassembly

                                                                                                                  Code Analysis

                                                                                                                  Reset < >