Windows Analysis Report
pago.exe

Overview

General Information

Sample Name: pago.exe
Analysis ID: 634139
MD5: 41db491c763c2aa61a8f4305591e3139
SHA1: 20c45ae71feccf738620764f70154f0ac5b6ac59
SHA256: 904211f6f92bb8e96d8a56077c3b95ed22c746ee17caf7fb769d786821521585
Infos:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.10964117045.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5"}
Multi AV Scanner detection for submitted file
Source: pago.exe Virustotal: Detection: 31% Perma Link
Uses 32bit PE files
Source: pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50980 version: TLS 1.2
Source: pago.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C49
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_00406873 FindFirstFileW,FindClose, 1_2_00406873
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50738
Source: unknown Network traffic detected: HTTP traffic on port 50726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50730
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50746
Source: unknown Network traffic detected: HTTP traffic on port 50578 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50745
Source: unknown Network traffic detected: HTTP traffic on port 50853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50747
Source: unknown Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50749
Source: unknown Network traffic detected: HTTP traffic on port 51135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50740
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50741
Source: unknown Network traffic detected: HTTP traffic on port 50325 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50600 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50292 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50754
Source: unknown Network traffic detected: HTTP traffic on port 51008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50759
Source: unknown Network traffic detected: HTTP traffic on port 50980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50758
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50752
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50768
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50762
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50761
Source: unknown Network traffic detected: HTTP traffic on port 50337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50612 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50763
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50566 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50510 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 51077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 50783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50591 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 50656 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50704
Source: unknown Network traffic detected: HTTP traffic on port 50931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50705
Source: unknown Network traffic detected: HTTP traffic on port 51065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50522 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50407 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50708
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown Network traffic detected: HTTP traffic on port 51033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 50313 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50717
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50716
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50719
Source: unknown Network traffic detected: HTTP traffic on port 50259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50534 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50718
Source: unknown Network traffic detected: HTTP traffic on port 50808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50496 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 50865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 50771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50727
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50720
Source: unknown Network traffic detected: HTTP traffic on port 51021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 50369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50644 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50337
Source: unknown Network traffic detected: HTTP traffic on port 50420 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50336
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50339
Source: unknown Network traffic detected: HTTP traffic on port 50386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50338
Source: unknown Network traffic detected: HTTP traffic on port 50546 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50331
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50330
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50333
Source: unknown Network traffic detected: HTTP traffic on port 50632 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50332
Source: unknown Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50335
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50334
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50305 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50348
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50347
Source: unknown Network traffic detected: HTTP traffic on port 51082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50349
Source: unknown Network traffic detected: HTTP traffic on port 50505 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50340
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50342
Source: unknown Network traffic detected: HTTP traffic on port 50987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50341
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50344
Source: unknown Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50343
Source: unknown Network traffic detected: HTTP traffic on port 51001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50346
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50345
Source: unknown Network traffic detected: HTTP traffic on port 50673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50359
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50358
Source: unknown Network traffic detected: HTTP traffic on port 50804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50351
Source: unknown Network traffic detected: HTTP traffic on port 50317 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50350
Source: unknown Network traffic detected: HTTP traffic on port 50558 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50353
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50355
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50357
Source: unknown Network traffic detected: HTTP traffic on port 50374 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50356
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50360
Source: unknown Network traffic detected: HTTP traffic on port 50620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50419 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50369
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 50255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 50685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50362
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50361
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50364
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50363
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50366
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50365
Source: unknown Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50367
Source: unknown Network traffic detected: HTTP traffic on port 50923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50371
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50370
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51127 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50779
Source: unknown Network traffic detected: HTTP traffic on port 50911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50778
Source: unknown Network traffic detected: HTTP traffic on port 50571 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50772
Source: unknown Network traffic detected: HTTP traffic on port 51025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50774
Source: unknown Network traffic detected: HTTP traffic on port 50350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50607 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50304
Source: unknown Network traffic detected: HTTP traffic on port 50444 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50303
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50787
Source: unknown Network traffic detected: HTTP traffic on port 51057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50306
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50305
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50789
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50308
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50307
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50309
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50780
Source: unknown Network traffic detected: HTTP traffic on port 50702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50300
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50302
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50786
Source: unknown Network traffic detected: HTTP traffic on port 51139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50785
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50315
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50314
Source: unknown Network traffic detected: HTTP traffic on port 50791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50317
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50316
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50319
Source: unknown Network traffic detected: HTTP traffic on port 50955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50318
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50311
Source: unknown Network traffic detected: HTTP traffic on port 50394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50310
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50313
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50797
Source: unknown Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50312
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50796
Source: unknown Network traffic detected: HTTP traffic on port 51069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50326
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50325
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50328
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50327
Source: unknown Network traffic detected: HTTP traffic on port 50828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50329
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50320
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50322
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50324
Source: unknown Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50323
Source: unknown Network traffic detected: HTTP traffic on port 50746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50432 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50514 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50296
Source: unknown Network traffic detected: HTTP traffic on port 50915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50295
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50298
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51143
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50299
Source: unknown Network traffic detected: HTTP traffic on port 50389 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50652 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50537 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50502 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50550 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50549 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50481 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50665 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50365 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50640 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50259
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51107
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50424 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50251
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50254
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50253
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown Network traffic detected: HTTP traffic on port 51119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50255
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50258
Source: unknown Network traffic detected: HTTP traffic on port 50353 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50257
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51103
Source: unknown Network traffic detected: HTTP traffic on port 50456 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50261
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50260
Source: unknown Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown Network traffic detected: HTTP traffic on port 50574 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown Network traffic detected: HTTP traffic on port 50952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50262
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50265
Source: unknown Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50264
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50269
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50268
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown Network traffic detected: HTTP traffic on port 50264 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: pago.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: pago.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: pago.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: pago.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pago.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: pago.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: pago.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: pago.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: pago.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: pago.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: pago.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: CasPol.exe, 00000003.00000003.11288385836.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.wit
Source: CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11763848646.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11785504010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11767485841.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11017932797.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11760090323.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11792762219.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11789379310.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11756813377.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.wit%Z
Source: CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11646915586.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11650600802.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11657721764.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.wit9
Source: CasPol.exe, 00000003.00000003.11910259370.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11591361210.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11584109786.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11566539347.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11587826848.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11602128374.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11906616575.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11595022091.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11598710092.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11570352755.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.wit;
Source: CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11120500920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11116994997.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11131458070.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11124152394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11127780563.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.wit=
Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11333346775.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11412600461.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11321825420.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11318016128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11405436979.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11449080284.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11427357394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11329226727.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11672143077.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11423536600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11171577849.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11401691671.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11441676251.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11307080583.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11314366430.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11310795151.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11419850890.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11416125224.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11396465612.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.wit?_
Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11714178018.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10942261401.0000000001643000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10938392847.0000000001643000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11899268890.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11001015720.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381318779.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11066544653.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: CasPol.exe, 00000003.00000003.10805249557.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11190168208.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11873151954.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000003.00000003.11541131462.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10960956292.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11385693456.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10812894314.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381866487.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10823870957.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10968641946.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10903513518.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11277670821.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11146628922.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10590205424.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10972281260.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10979625239.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10899832876.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11563332151.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10733897731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11566967101.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10957408022.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11190168208.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/&xx
Source: CasPol.exe, 00000003.00000003.10760090172.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11541131462.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11647365218.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466251678.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10820006452.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477789507.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11555920731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11552171939.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654559007.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473947189.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10802084025.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10812894314.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11106357344.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10823870957.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11658141520.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370887307.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470194921.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10767190631.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10763651871.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10809218362.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10816447019.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/.xp
Source: CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10756183709.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/0
Source: CasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439433586.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/:O
Source: CasPol.exe, 00000003.00000003.10473851646.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/;N
Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11138676639.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381318779.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11471038381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11333346775.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11200613571.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11725868249.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11236564730.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11481937364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11489973696.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/D
Source: CasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10431930783.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439433586.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435616398.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/DO
Source: CasPol.exe, 00000003.00000003.10512475234.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473851646.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10590133678.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10497322070.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501316607.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586546730.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481515123.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493368770.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508779607.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485368855.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505157106.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477673791.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489320415.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/EN
Source: CasPol.exe, 00000003.00000003.11318418808.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11329658756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11326002160.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11322295871.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10447130085.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11219049182.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11255028714.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10726142476.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11767865151.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240464156.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11613837370.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586662872.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11341231194.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722621602.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11356392120.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10733897731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11153845329.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11367241986.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/Fx
Source: CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/N
Source: CasPol.exe, 00000003.00000003.11329658756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11005886364.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11326002160.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454779102.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10990500451.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11691835610.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11651022001.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450948577.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11197437395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11778679798.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11775025967.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/Nx
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/V
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/X
Source: CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/_1
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10431603703.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/a
Source: CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/crosoft
Source: CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11909906632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11858479014.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11902460650.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11763848646.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11914595364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11836730304.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11854750366.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11844021010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11825610002.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11785504010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11778308394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11884212900.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11876915856.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11865819520.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11943762088.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11918231677.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11932902008.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/d
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10756183709.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11001015720.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11013074459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10845316161.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10838156567.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11062778150.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10990071600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10895740106.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/ertificates
Source: CasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/gN
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/or
Source: CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/pNA
Source: CasPol.exe, 00000003.00000003.11427788601.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11412959950.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11888411931.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10737542731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11431329632.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11884685432.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11877288268.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11088531521.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/r
Source: CasPol.exe, 00000003.00000003.10590205424.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586662872.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/tagservices-cn.com
Source: CasPol.exe, 00000003.00000003.10446771552.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10805249557.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11873151954.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ1
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454320427.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10504902405.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508559279.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10446771552.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQJ
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454320427.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10446771552.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQRoo
Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11471038381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11481937364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11489973696.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11478414027.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11456598311.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11449080284.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11427357394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11423536600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11441676251.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11463838004.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11419850890.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11416125224.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11460313426.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11434524469.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11485565402.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11438174734.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11445356552.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11474740767.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11467373843.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQXCc
Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11138676639.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11909906632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11200613571.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10845316161.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11725868249.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11858479014.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11902460650.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQeA8Cs_gKBFB_1pQ
Source: CasPol.exe, 00000003.00000003.11258179197.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11095604680.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11352003223.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10794499847.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQeA8Cs_gKBFB_1pQry
Source: CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10504902405.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508559279.0000000001610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQeA8Cs_gKBFB_1pQs
Source: CasPol.exe, 00000003.00000003.11318418808.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11599073404.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11595481769.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10794875834.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11719025756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11658141520.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11109860515.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11807865757.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11204814683.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11613837370.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11811534853.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11617517662.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11270221356.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11661625882.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11621145763.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113913042.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11013524081.0000000001652000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/vy
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50980 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004056DE
Uses 32bit PE files
Source: pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040755C 1_2_0040755C
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_00406D85 1_2_00406D85
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_70FE1BFF 1_2_70FE1BFF
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB3201 1_2_02BB3201
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB48BE 1_2_02BB48BE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0AB8 1_2_02BA0AB8
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA06A9 1_2_02BA06A9
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA02A5 1_2_02BA02A5
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0E97 1_2_02BA0E97
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA1680 1_2_02BA1680
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0A85 1_2_02BA0A85
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA16F9 1_2_02BA16F9
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0EEA 1_2_02BA0EEA
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA02E9 1_2_02BA02E9
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA16C0 1_2_02BA16C0
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA7EC7 1_2_02BA7EC7
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0238 1_2_02BA0238
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA1638 1_2_02BA1638
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0A3C 1_2_02BA0A3C
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0627 1_2_02BA0627
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB421E 1_2_02BB421E
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0E15 1_2_02BA0E15
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA066F 1_2_02BA066F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0266 1_2_02BA0266
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0E4F 1_2_02BA0E4F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA07B8 1_2_02BA07B8
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0BBF 1_2_02BA0BBF
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0FAE 1_2_02BA0FAE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA03FB 1_2_02BA03FB
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA07FC 1_2_02BA07FC
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0BF1 1_2_02BA0BF1
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0FE6 1_2_02BA0FE6
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0335 1_2_02BA0335
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA8F1B 1_2_02BA8F1B
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA071E 1_2_02BA071E
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0372 1_2_02BA0372
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0F75 1_2_02BA0F75
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0751 1_2_02BA0751
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0F42 1_2_02BA0F42
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA84B9 1_2_02BA84B9
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA18B3 1_2_02BA18B3
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA04B7 1_2_02BA04B7
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0CAE 1_2_02BA0CAE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA08AE 1_2_02BA08AE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0081 1_2_02BA0081
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA00FF 1_2_02BA00FF
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0CF1 1_2_02BA0CF1
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA00F6 1_2_02BA00F6
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA74E6 1_2_02BA74E6
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA08DE 1_2_02BA08DE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA28C8 1_2_02BA28C8
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0838 1_2_02BA0838
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0435 1_2_02BA0435
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0C2F 1_2_02BA0C2F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA101B 1_2_02BA101B
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA000D 1_2_02BA000D
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0003 1_2_02BA0003
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA087C 1_2_02BA087C
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0C70 1_2_02BA0C70
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0066 1_2_02BA0066
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB5865 1_2_02BB5865
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB0053 1_2_02BB0053
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA1051 1_2_02BA1051
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA09BB 1_2_02BA09BB
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA01AB 1_2_02BA01AB
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA05A7 1_2_02BA05A7
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA098B 1_2_02BA098B
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB4DFC 1_2_02BB4DFC
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA09F3 1_2_02BA09F3
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA01F4 1_2_02BA01F4
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA05E8 1_2_02BA05E8
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0DD8 1_2_02BA0DD8
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB55C9 1_2_02BB55C9
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA15C7 1_2_02BA15C7
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA013A 1_2_02BA013A
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0531 1_2_02BA0531
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA612F 1_2_02BA612F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0122 1_2_02BA0122
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0923 1_2_02BA0923
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0120 1_2_02BA0120
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0124 1_2_02BA0124
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA011B 1_2_02BA011B
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0119 1_2_02BA0119
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA011E 1_2_02BA011E
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0D1F 1_2_02BA0D1F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0113 1_2_02BA0113
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0110 1_2_02BA0110
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0117 1_2_02BA0117
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0115 1_2_02BA0115
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA010A 1_2_02BA010A
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA010E 1_2_02BA010E
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA050F 1_2_02BA050F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA010C 1_2_02BA010C
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0103 1_2_02BA0103
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0101 1_2_02BA0101
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0107 1_2_02BA0107
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA7504 1_2_02BA7504
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0105 1_2_02BA0105
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA157A 1_2_02BA157A
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0D62 1_2_02BA0D62
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0961 1_2_02BA0961
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0567 1_2_02BA0567
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA1542 1_2_02BA1542
Contains functionality to call native functions
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB67A3 NtProtectVirtualMemory, 1_2_02BB67A3
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB48BE LoadLibraryA,NtAllocateVirtualMemory, 1_2_02BB48BE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB6DFE NtResumeThread, 1_2_02BB6DFE
PE file contains executable resources (Code or Archives)
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: pago.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\pago.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: pago.exe Static PE information: invalid certificate
Source: pago.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\pago.exe File read: C:\Users\user\Desktop\pago.exe Jump to behavior
Source: pago.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\pago.exe "C:\Users\user\Desktop\pago.exe"
Source: C:\Users\user\Desktop\pago.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pago.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
Source: C:\Users\user\Desktop\pago.exe File created: C:\Users\user\AppData\Local\Temp\nstE967.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@4/7@1/1
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\pago.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_0040498A
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
Source: pago.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.10964117045.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.10305977883.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_70FE30C0 push eax; ret 1_2_70FE30EE
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA7A6D push ebp; retf 1_2_02BA7A6F
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA30B3 push ebp; ret 1_2_02BA30B4
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA3CCD push ss; ret 1_2_02BA3CD5
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA1500 push 3C20EBCAh; ret 1_2_02BA150D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_70FE1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_70FE1BFF
Binary contains a suspicious time stamp
Source: System.Runtime.CompilerServices.VisualC.dll.1.dr Static PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]
Drops PE files
Source: C:\Users\user\Desktop\pago.exe File created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll Jump to dropped file
Source: C:\Users\user\Desktop\pago.exe File created: C:\Users\user\AppData\Local\Temp\nsrF138.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\pago.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\pago.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEL\
Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0H
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1612 Thread sleep time: -13910000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\pago.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0AB8 rdtsc 1_2_02BA0AB8
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 1391 Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405C49
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_00406873 FindFirstFileW,FindClose, 1_2_00406873
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Users\user\Desktop\pago.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\pago.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pago.exe API call chain: ExitProcess graph end node
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exel\
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000003.10586819386.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493775570.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458808281.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10455040457.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10509018915.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485719759.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501669736.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439702730.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477945770.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505376949.0000000001601000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0H
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000003.00000003.10586819386.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493775570.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458808281.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10455040457.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10509018915.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485719759.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501669736.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439702730.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477945770.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505376949.0000000001601000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWB
Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_70FE1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_70FE1BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA0AB8 rdtsc 1_2_02BA0AB8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB3C8C mov eax, dword ptr fs:[00000030h] 1_2_02BB3C8C
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB4422 mov eax, dword ptr fs:[00000030h] 1_2_02BB4422
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BB5865 mov eax, dword ptr fs:[00000030h] 1_2_02BB5865
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\pago.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_02BA89AD LdrInitializeThunk, 1_2_02BA89AD

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\pago.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1100000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\pago.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634139 Sample: pago.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 80 22 drive.google.com 2->22 26 Found malware configuration 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected GuLoader 2->30 32 2 other signatures 2->32 8 pago.exe 4 23 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\System.dll, PE32 8->18 dropped 20 System.Runtime.Com...ervices.VisualC.dll, PE32+ 8->20 dropped 34 Writes to foreign memory regions 8->34 36 Tries to detect Any.run 8->36 12 CasPol.exe 13 8->12         started        signatures6 process7 dnsIp8 24 drive.google.com 142.250.185.78, 443, 49746, 49747 GOOGLEUS United States 12->24 38 Tries to detect Any.run 12->38 16 conhost.exe 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.78
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.185.78 true