Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pago.exe

Overview

General Information

Sample Name:pago.exe
Analysis ID:634139
MD5:41db491c763c2aa61a8f4305591e3139
SHA1:20c45ae71feccf738620764f70154f0ac5b6ac59
SHA256:904211f6f92bb8e96d8a56077c3b95ed22c746ee17caf7fb769d786821521585
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • pago.exe (PID: 3984 cmdline: "C:\Users\user\Desktop\pago.exe" MD5: 41DB491C763C2AA61A8F4305591E3139)
    • CasPol.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\pago.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.10964117045.0000000002BA0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000003.00000000.10305977883.0000000001100000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 00000001.00000002.10964117045.0000000002BA0000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5"}
      Multi AV Scanner detection for submitted file
      Source: pago.exeVirustotal: Detection: 31%Perma Link
      Source: pago.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49746 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50355 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50686 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50980 version: TLS 1.2
      Source: pago.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
      Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
      Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040290B FindFirstFileW,

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50735
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50737
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50738
      Source: unknownNetwork traffic detected: HTTP traffic on port 50726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50731
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50693 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50211 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50177 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50452 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50743
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50746
      Source: unknownNetwork traffic detected: HTTP traffic on port 50578 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50745
      Source: unknownNetwork traffic detected: HTTP traffic on port 50853 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50747
      Source: unknownNetwork traffic detected: HTTP traffic on port 50440 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50165 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50749
      Source: unknownNetwork traffic detected: HTTP traffic on port 51135 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50741
      Source: unknownNetwork traffic detected: HTTP traffic on port 50325 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50600 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50967 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50292 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50755
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50754
      Source: unknownNetwork traffic detected: HTTP traffic on port 51008 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50757
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50756
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50759
      Source: unknownNetwork traffic detected: HTTP traffic on port 50980 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50758
      Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50189 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50464 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50750
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50753
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50752
      Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50439 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50766
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50765
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50768
      Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50280 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50767
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50760
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50762
      Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50761
      Source: unknownNetwork traffic detected: HTTP traffic on port 50337 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50612 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50764
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50763
      Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51045 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50566 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50841 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50153 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50235 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50510 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51090 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50795 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50382 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50979 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
      Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
      Source: unknownNetwork traffic detected: HTTP traffic on port 51077 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
      Source: unknownNetwork traffic detected: HTTP traffic on port 50783 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50877 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50591 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50301 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50700
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50702
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50701
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
      Source: unknownNetwork traffic detected: HTTP traffic on port 50656 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50704
      Source: unknownNetwork traffic detected: HTTP traffic on port 50931 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50703
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50706
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50705
      Source: unknownNetwork traffic detected: HTTP traffic on port 51065 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50247 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50522 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50370 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50407 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51089 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50708
      Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50707
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50711
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50710
      Source: unknownNetwork traffic detected: HTTP traffic on port 51033 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
      Source: unknownNetwork traffic detected: HTTP traffic on port 50313 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50713
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50712
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50714
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50717
      Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50716
      Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51103 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50719
      Source: unknownNetwork traffic detected: HTTP traffic on port 50259 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50534 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50718
      Source: unknownNetwork traffic detected: HTTP traffic on port 50808 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
      Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50496 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
      Source: unknownNetwork traffic detected: HTTP traffic on port 50865 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 50771 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
      Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50722
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50721
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50724
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50723
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50726
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50728
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50727
      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50720
      Source: unknownNetwork traffic detected: HTTP traffic on port 51021 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50992 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50729
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 50369 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50644 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50337
      Source: unknownNetwork traffic detected: HTTP traffic on port 50420 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50336
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50339
      Source: unknownNetwork traffic detected: HTTP traffic on port 50386 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51115 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50338
      Source: unknownNetwork traffic detected: HTTP traffic on port 50546 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50116 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50331
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50330
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50333
      Source: unknownNetwork traffic detected: HTTP traffic on port 50632 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50332
      Source: unknownNetwork traffic detected: HTTP traffic on port 50873 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50335
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50334
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51070 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50305 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50999 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50348
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50347
      Source: unknownNetwork traffic detected: HTTP traffic on port 51082 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50349
      Source: unknownNetwork traffic detected: HTTP traffic on port 50505 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50935 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50340
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50342
      Source: unknownNetwork traffic detected: HTTP traffic on port 50987 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50341
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50344
      Source: unknownNetwork traffic detected: HTTP traffic on port 50243 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50343
      Source: unknownNetwork traffic detected: HTTP traffic on port 51001 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50346
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50345
      Source: unknownNetwork traffic detected: HTTP traffic on port 50673 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50128 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50197 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50885 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50359
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50358
      Source: unknownNetwork traffic detected: HTTP traffic on port 50804 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50351
      Source: unknownNetwork traffic detected: HTTP traffic on port 50317 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50350
      Source: unknownNetwork traffic detected: HTTP traffic on port 50558 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50353
      Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50352
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50355
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50354
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50357
      Source: unknownNetwork traffic detected: HTTP traffic on port 50374 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50356
      Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50861 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50360
      Source: unknownNetwork traffic detected: HTTP traffic on port 50620 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50419 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50369
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
      Source: unknownNetwork traffic detected: HTTP traffic on port 50255 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
      Source: unknownNetwork traffic detected: HTTP traffic on port 50685 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50362
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50361
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50364
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50363
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50366
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50365
      Source: unknownNetwork traffic detected: HTTP traffic on port 50897 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50368
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50367
      Source: unknownNetwork traffic detected: HTTP traffic on port 50923 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50371
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50370
      Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51127 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50777
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50776
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50779
      Source: unknownNetwork traffic detected: HTTP traffic on port 50911 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51140 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50778
      Source: unknownNetwork traffic detected: HTTP traffic on port 50571 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50771
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50770
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50773
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50772
      Source: unknownNetwork traffic detected: HTTP traffic on port 51025 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50775
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50774
      Source: unknownNetwork traffic detected: HTTP traffic on port 50350 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50943 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50267 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50607 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50362 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50304
      Source: unknownNetwork traffic detected: HTTP traffic on port 50444 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50788
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50303
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50787
      Source: unknownNetwork traffic detected: HTTP traffic on port 51057 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50306
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50305
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50789
      Source: unknownNetwork traffic detected: HTTP traffic on port 50173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50308
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50307
      Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50309
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50780
      Source: unknownNetwork traffic detected: HTTP traffic on port 50702 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50782
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50781
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50300
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50784
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50783
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50302
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50786
      Source: unknownNetwork traffic detected: HTTP traffic on port 51139 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50301
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50785
      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50816 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50141 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50476 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50315
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50799
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50314
      Source: unknownNetwork traffic detected: HTTP traffic on port 50791 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50798
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50317
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50316
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50319
      Source: unknownNetwork traffic detected: HTTP traffic on port 50955 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50318
      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50279 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50791
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50790
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50793
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50792
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50311
      Source: unknownNetwork traffic detected: HTTP traffic on port 50394 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50619 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50795
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50310
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50794
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50313
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50797
      Source: unknownNetwork traffic detected: HTTP traffic on port 50223 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50312
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50796
      Source: unknownNetwork traffic detected: HTTP traffic on port 51069 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50349 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51013 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50326
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50325
      Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50328
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50327
      Source: unknownNetwork traffic detected: HTTP traffic on port 50828 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50329
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50320
      Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50322
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50321
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50324
      Source: unknownNetwork traffic detected: HTTP traffic on port 50488 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50323
      Source: unknownNetwork traffic detected: HTTP traffic on port 50746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50432 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50514 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50185 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50296
      Source: unknownNetwork traffic detected: HTTP traffic on port 50915 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50295
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50298
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51142
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50297
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51143
      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50299
      Source: unknownNetwork traffic detected: HTTP traffic on port 50389 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50400 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50148 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50377 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50652 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51061 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50240 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50755 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50537 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50812 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50308 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50227 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50252 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50502 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50550 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50390 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50903 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51107 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50767 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50549 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50824 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50481 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50996 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50136 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51073 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50940 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50665 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50365 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50640 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51108
      Source: unknownNetwork traffic detected: HTTP traffic on port 50193 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50259
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51109
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51106
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51107
      Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50424 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50252
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51100
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50251
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51101
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50254
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50253
      Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50256
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51104
      Source: unknownNetwork traffic detected: HTTP traffic on port 51119 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50255
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51105
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50258
      Source: unknownNetwork traffic detected: HTTP traffic on port 50353 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51102
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50257
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51103
      Source: unknownNetwork traffic detected: HTTP traffic on port 50456 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50161 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 51048 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50261
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50260
      Source: unknownNetwork traffic detected: HTTP traffic on port 50848 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 50215 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51119
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51117
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51118
      Source: unknownNetwork traffic detected: HTTP traffic on port 50574 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50263
      Source: unknownNetwork traffic detected: HTTP traffic on port 50952 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51111
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50262
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51112
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50265
      Source: unknownNetwork traffic detected: HTTP traffic on port 50639 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50264
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51110
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50267
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51115
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50266
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51116
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50269
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51113
      Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50268
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51114
      Source: unknownNetwork traffic detected: HTTP traffic on port 50264 -> 443
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: pago.exeString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
      Source: pago.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
      Source: pago.exeString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: pago.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: pago.exeString found in binary or memory: http://repository.certum.pl/ctnca.cer09
      Source: pago.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
      Source: pago.exeString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
      Source: pago.exeString found in binary or memory: http://subca.ocsp-certum.com01
      Source: pago.exeString found in binary or memory: http://subca.ocsp-certum.com02
      Source: pago.exeString found in binary or memory: http://subca.ocsp-certum.com05
      Source: pago.exeString found in binary or memory: http://www.certum.pl/CPS0
      Source: CasPol.exe, 00000003.00000003.11288385836.0000000001641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.wit
      Source: CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11763848646.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11785504010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11767485841.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11017932797.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11760090323.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11792762219.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11789379310.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11756813377.0000000001641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.wit%Z
      Source: CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11646915586.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11650600802.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11657721764.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.wit9
      Source: CasPol.exe, 00000003.00000003.11910259370.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11591361210.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11584109786.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11566539347.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11587826848.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11602128374.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11906616575.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11595022091.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11598710092.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11570352755.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.wit;
      Source: CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11120500920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11116994997.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11131458070.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11124152394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11127780563.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.wit=
      Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11333346775.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11412600461.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11321825420.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11318016128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11405436979.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11449080284.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11427357394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11329226727.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11672143077.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11423536600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11171577849.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11401691671.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11441676251.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11307080583.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11314366430.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11310795151.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11419850890.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11416125224.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11396465612.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.wit?_
      Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11714178018.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10942261401.0000000001643000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10938392847.0000000001643000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11899268890.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11001015720.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381318779.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11066544653.0000000001642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
      Source: CasPol.exe, 00000003.00000003.10805249557.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11190168208.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11873151954.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: CasPol.exe, 00000003.00000003.11541131462.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10960956292.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11385693456.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10812894314.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381866487.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10823870957.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10968641946.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10903513518.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11277670821.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11146628922.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10590205424.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10972281260.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10979625239.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10899832876.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11563332151.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10733897731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11566967101.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10957408022.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11190168208.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/&xx
      Source: CasPol.exe, 00000003.00000003.10760090172.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11541131462.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11647365218.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466251678.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10820006452.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477789507.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11555920731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11552171939.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654559007.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473947189.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10802084025.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10812894314.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11106357344.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10823870957.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11658141520.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370887307.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470194921.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10767190631.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10763651871.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10809218362.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10816447019.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/.xp
      Source: CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10756183709.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/0
      Source: CasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439433586.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:O
      Source: CasPol.exe, 00000003.00000003.10473851646.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/;N
      Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11138676639.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381318779.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11471038381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11333346775.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11200613571.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11725868249.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11236564730.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11481937364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11489973696.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/D
      Source: CasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10431930783.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439433586.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435616398.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/DO
      Source: CasPol.exe, 00000003.00000003.10512475234.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473851646.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10590133678.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10497322070.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501316607.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586546730.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481515123.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493368770.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508779607.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485368855.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505157106.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477673791.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489320415.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/EN
      Source: CasPol.exe, 00000003.00000003.11318418808.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11329658756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11326002160.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11322295871.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10447130085.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11219049182.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11255028714.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10726142476.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11767865151.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240464156.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11613837370.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586662872.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11341231194.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722621602.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11356392120.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10733897731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11153845329.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11367241986.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/Fx
      Source: CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/N
      Source: CasPol.exe, 00000003.00000003.11329658756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11005886364.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11326002160.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454779102.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10990500451.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11691835610.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11651022001.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450948577.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11197437395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11778679798.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11775025967.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/Nx
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/V
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/X
      Source: CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/_1
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10431603703.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/a
      Source: CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/crosoft
      Source: CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11909906632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11858479014.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11902460650.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11763848646.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11914595364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11836730304.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11854750366.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11844021010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11825610002.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11785504010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11778308394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11884212900.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11876915856.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11865819520.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11943762088.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11918231677.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11932902008.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/d
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10756183709.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11001015720.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11013074459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10845316161.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10838156567.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11062778150.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10990071600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10895740106.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ertificates
      Source: CasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/gN
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/or
      Source: CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/pNA
      Source: CasPol.exe, 00000003.00000003.11427788601.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11412959950.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11888411931.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10737542731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11431329632.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11884685432.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11877288268.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11088531521.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/r
      Source: CasPol.exe, 00000003.00000003.10590205424.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586662872.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/tagservices-cn.com
      Source: CasPol.exe, 00000003.00000003.10446771552.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10805249557.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11873151954.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ1
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454320427.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10504902405.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508559279.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10446771552.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQJ
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454320427.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10446771552.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQRoo
      Source: CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11471038381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11481937364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11489973696.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11478414027.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11456598311.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11449080284.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11427357394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11423536600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11441676251.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11463838004.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11419850890.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11416125224.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11460313426.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11434524469.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11485565402.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11438174734.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11445356552.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11474740767.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11467373843.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQXCc
      Source: CasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11138676639.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11909906632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11200613571.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10845316161.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11725868249.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11858479014.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11902460650.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQeA8Cs_gKBFB_1pQ
      Source: CasPol.exe, 00000003.00000003.11258179197.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11095604680.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11352003223.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10794499847.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQeA8Cs_gKBFB_1pQry
      Source: CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10504902405.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508559279.0000000001610000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQeA8Cs_gKBFB_1pQs
      Source: CasPol.exe, 00000003.00000003.11318418808.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11599073404.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11595481769.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10794875834.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11719025756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11658141520.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11109860515.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11807865757.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11204814683.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11613837370.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11811534853.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11617517662.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11270221356.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11661625882.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11621145763.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113913042.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11013524081.0000000001652000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/vy
      Source: System.Runtime.CompilerServices.VisualC.dll.1.drString found in binary or memory: https://github.com/dotnet/runtime
      Source: System.Runtime.CompilerServices.VisualC.dll.1.drString found in binary or memory: https://github.com/dotnet/runtimeBSJB
      Source: unknownDNS traffic detected: queries for: drive.google.com
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:49746 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50355 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50686 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.78:443 -> 192.168.11.20:50980 version: TLS 1.2
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
      Source: pago.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040755C
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_00406D85
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_70FE1BFF
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB3201
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB48BE
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0AB8
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA06A9
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA02A5
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0E97
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA1680
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0A85
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA16F9
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0EEA
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA02E9
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA16C0
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA7EC7
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0238
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA1638
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0A3C
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0627
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB421E
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0E15
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA066F
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0266
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0E4F
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA07B8
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0BBF
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0FAE
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA03FB
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA07FC
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0BF1
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0FE6
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0335
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA8F1B
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA071E
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0372
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0F75
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0751
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0F42
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA84B9
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA18B3
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA04B7
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0CAE
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA08AE
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0081
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA00FF
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0CF1
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA00F6
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA74E6
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA08DE
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA28C8
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0838
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0435
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0C2F
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA101B
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA000D
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0003
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA087C
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0C70
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0066
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB5865
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB0053
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA1051
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA09BB
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA01AB
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA05A7
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA098B
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB4DFC
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA09F3
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA01F4
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA05E8
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0DD8
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB55C9
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA15C7
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA013A
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0531
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA612F
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0122
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0923
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0120
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0124
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA011B
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0119
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA011E
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0D1F
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0113
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0110
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0117
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0115
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA010A
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA010E
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA050F
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA010C
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0103
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0101
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0107
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA7504
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0105
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA157A
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0D62
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0961
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0567
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA1542
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB67A3 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB48BE LoadLibraryA,NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB6DFE NtResumeThread,
      Source: System.Runtime.CompilerServices.VisualC.dll.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: System.Runtime.CompilerServices.VisualC.dll.1.drStatic PE information: No import functions for PE file found
      Source: pago.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\pago.exeSection loaded: edgegdi.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dll
      Source: pago.exeStatic PE information: invalid certificate
      Source: pago.exeVirustotal: Detection: 31%
      Source: C:\Users\user\Desktop\pago.exeFile read: C:\Users\user\Desktop\pago.exeJump to behavior
      Source: pago.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\pago.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\pago.exe "C:\Users\user\Desktop\pago.exe"
      Source: C:\Users\user\Desktop\pago.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago.exe"
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\pago.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago.exe"
      Source: C:\Users\user\Desktop\pago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\pago.exeFile created: C:\Users\user\AppData\Local\Temp\nstE967.tmpJump to behavior
      Source: classification engineClassification label: mal80.troj.evad.winEXE@4/7@1/1
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_004021AA CoCreateInstance,
      Source: C:\Users\user\Desktop\pago.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
      Source: pago.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
      Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.1.dr
      Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.1.dr

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000001.00000002.10964117045.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.10305977883.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_70FE30C0 push eax; ret
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA7A6D push ebp; retf
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA30B3 push ebp; ret
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA3CCD push ss; ret
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA1500 push 3C20EBCAh; ret
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_70FE1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
      Source: System.Runtime.CompilerServices.VisualC.dll.1.drStatic PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]
      Source: C:\Users\user\Desktop\pago.exeFile created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
      Source: C:\Users\user\Desktop\pago.exeFile created: C:\Users\user\AppData\Local\Temp\nsrF138.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\pago.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Tries to detect Any.run
      Source: C:\Users\user\Desktop\pago.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\pago.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEL\
      Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
      Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0H
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1612Thread sleep time: -13910000s >= -30000s
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\pago.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0AB8 rdtsc
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 1391
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040290B FindFirstFileW,
      Source: C:\Users\user\Desktop\pago.exeSystem information queried: ModuleInformation
      Source: C:\Users\user\Desktop\pago.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\Desktop\pago.exeAPI call chain: ExitProcess graph end node
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exel\
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: CasPol.exe, 00000003.00000003.10586819386.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493775570.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458808281.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10455040457.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10509018915.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485719759.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501669736.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439702730.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477945770.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505376949.0000000001601000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
      Source: pago.exe, 00000001.00000002.10964305244.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: pago.exe, 00000001.00000002.10963112270.0000000000638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0H
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: CasPol.exe, 00000003.00000003.10586819386.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493775570.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458808281.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10455040457.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10509018915.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485719759.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501669736.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439702730.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477945770.0000000001601000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505376949.0000000001601000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
      Source: pago.exe, 00000001.00000002.10964547183.0000000004829000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_70FE1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA0AB8 rdtsc
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB3C8C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB4422 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BB5865 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\pago.exeProcess queried: DebugPort
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_02BA89AD LdrInitializeThunk,

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\pago.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1100000
      Source: C:\Users\user\Desktop\pago.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\pago.exe"
      Source: C:\Users\user\Desktop\pago.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		12
      Virtualization/Sandbox Evasion      		OS Credential Dumping221
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium12
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
      Process Injection      		1
      Access Token Manipulation      		LSASS Memory12
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		Exfiltration Over Bluetooth1
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      DLL Side-Loading      		111
      Process Injection      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Obfuscated Files or Information      		NTDS2
      File and Directory Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Timestomp      		LSA Secrets4
      System Information Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      DLL Side-Loading      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      pago.exe32%VirustotalBrowse
      pago.exe5%ReversingLabsWin32.Downloader.GuLoader

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsrF138.tmp\System.dll3%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\nsrF138.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://csp.wit0%Avira URL Cloudsafe
      https://csp.wit=0%Avira URL Cloudsafe
      https://csp.wit;0%Avira URL Cloudsafe
      https://csp.wit90%Avira URL Cloudsafe
      https://csp.wit%Z0%Avira URL Cloudsafe
      http://subca.ocsp-certum.com050%Avira URL Cloudsafe
      http://subca.ocsp-certum.com020%Avira URL Cloudsafe
      http://subca.ocsp-certum.com010%Avira URL Cloudsafe
      https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external0%Avira URL Cloudsafe
      https://csp.wit?_0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.185.78
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://drive.google.com/ENCasPol.exe, 00000003.00000003.10512475234.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473851646.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10590133678.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10497322070.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10501316607.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586546730.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481515123.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493368770.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10508779607.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485368855.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10505157106.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10477673791.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489320415.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://drive.google.com/NxCasPol.exe, 00000003.00000003.11329658756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11005886364.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11326002160.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454779102.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10990500451.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11691835610.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11651022001.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450948577.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11197437395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11778679798.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11775025967.0000000001652000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://crl.certum.pl/ctsca2021.crl0opago.exefalse
              		high
              http://repository.certum.pl/ctnca.cer09pago.exefalse
                		high
                http://crl.certum.pl/ctnca.crl0kpago.exefalse
                  		high
                  https://drive.google.com/pNACasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.google.com/orCasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450591176.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://csp.witCasPol.exe, 00000003.00000003.11288385836.0000000001641000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://drive.google.com/rCasPol.exe, 00000003.00000003.11427788601.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11412959950.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11888411931.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10737542731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11431329632.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11884685432.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11877288268.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11088531521.0000000001652000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://drive.google.com/&xxCasPol.exe, 00000003.00000003.11541131462.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10960956292.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11385693456.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10812894314.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381866487.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10823870957.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10968641946.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10903513518.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11277670821.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11146628922.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10590205424.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10972281260.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10979625239.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10899832876.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11563332151.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10733897731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11566967101.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10957408022.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11190168208.0000000001652000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://drive.google.com/0CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10756183709.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://drive.google.com/NCasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://csp.wit=CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11120500920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11116994997.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11131458070.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11124152394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11127780563.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://nsis.sf.net/NSIS_ErrorErrorpago.exefalse
                                		high
                                https://drive.google.com/DCasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11138676639.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381318779.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11471038381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11333346775.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11200613571.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11725868249.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11236564730.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11481937364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11489973696.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://csp.wit;CasPol.exe, 00000003.00000003.11910259370.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11591361210.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11584109786.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11566539347.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11587826848.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11602128374.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11906616575.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11595022091.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11598710092.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11570352755.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  https://drive.google.com/:OCasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439433586.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://csp.wit9CasPol.exe, 00000003.00000003.11654105332.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11646915586.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11650600802.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11657721764.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/dotnet/runtimeSystem.Runtime.CompilerServices.VisualC.dll.1.drfalse
                                      		high
                                      https://csp.wit%ZCasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11763848646.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11785504010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11767485841.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11017932797.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11760090323.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11792762219.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11789379310.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11756813377.0000000001641000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://drive.google.com/DOCasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10431930783.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439433586.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435616398.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://repository.certum.pl/ctsca2021.cer0pago.exefalse
                                          		high
                                          https://drive.google.com/XCasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://subca.ocsp-certum.com05pago.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://drive.google.com/CasPol.exe, 00000003.00000003.10805249557.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11190168208.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11873151954.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.google.com/VCasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://drive.google.com/ertificatesCasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10756183709.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11001015720.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11013074459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10845316161.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10838156567.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11062778150.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10990071600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10895740106.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.com/vyCasPol.exe, 00000003.00000003.11318418808.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11599073404.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11595481769.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10794875834.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11719025756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11658141520.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11109860515.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11807865757.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11204814683.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11613837370.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11811534853.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11617517662.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11270221356.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11661625882.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11621145763.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113913042.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11013524081.0000000001652000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://subca.ocsp-certum.com02pago.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://subca.ocsp-certum.com01pago.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/externalCasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11714178018.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10942261401.0000000001643000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10938392847.0000000001643000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11899268890.0000000001641000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11643187107.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11001015720.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11381318779.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11066544653.0000000001642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://drive.google.com/gNCasPol.exe, 00000003.00000003.10447057269.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10450877531.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10443233854.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.certum.pl/ctnca2.crl0lpago.exefalse
                                                        		high
                                                        http://repository.certum.pl/ctnca2.cer09pago.exefalse
                                                          		high
                                                          https://drive.google.com/tagservices-cn.comCasPol.exe, 00000003.00000003.10590205424.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586662872.0000000001652000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://drive.google.com/crosoftCasPol.exe, 00000003.00000003.11551627441.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/dotnet/runtimeBSJBSystem.Runtime.CompilerServices.VisualC.dll.1.drfalse
                                                                		high
                                                                https://drive.google.com/FxCasPol.exe, 00000003.00000003.11318418808.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11329658756.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11326002160.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11322295871.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10447130085.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11219049182.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11255028714.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10726142476.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11767865151.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240464156.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11613837370.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586662872.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11341231194.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722621602.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11356392120.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10733897731.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11153845329.0000000001652000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11367241986.0000000001652000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/_1CasPol.exe, 00000003.00000003.10874752893.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11370430339.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10852845632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10986315495.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11522651189.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10819644928.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11240029390.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11218702123.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11664820128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11025068972.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10729536768.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11452754183.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11032375205.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11624374128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11113467457.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10777826659.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.certum.pl/CPS0pago.exefalse
                                                                      		high
                                                                      https://drive.google.com/;NCasPol.exe, 00000003.00000003.10473851646.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10462243555.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10470093101.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10454670711.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10466142710.0000000001644000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458487274.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://drive.google.com/dCasPol.exe, 00000003.00000003.11936516446.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11880488126.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11796544361.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11909906632.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11752718459.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11858479014.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11902460650.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11763848646.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11914595364.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11836730304.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11854750366.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11844021010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11825610002.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11785504010.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11778308394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11884212900.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11876915856.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11865819520.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11943762088.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11918231677.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11932902008.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://csp.wit?_CasPol.exe, 00000003.00000003.11430915788.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11409010342.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11333346775.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11412600461.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11321825420.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11318016128.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11405436979.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11449080284.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11427357394.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11329226727.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11672143077.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11423536600.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11171577849.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11401691671.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11441676251.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11307080583.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11314366430.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11310795151.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11419850890.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11416125224.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.11396465612.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://drive.google.com/aCasPol.exe, 00000003.00000003.10477347637.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10458150869.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10481182540.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10442906491.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10489062079.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10473539920.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10435303653.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10439116142.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10589857417.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10469767911.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10586224494.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10485058231.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10725676845.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10496974061.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10722204238.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10465841943.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10500989666.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10431603703.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10512175315.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10461940744.0000000001610000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.10493005273.0000000001610000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            142.250.185.78
                                                                            		drive.google.comUnited States
                                                                            		15169GOOGLEUSfalse

                                                                            General Information

                                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                                            Analysis ID:634139
                                                                            Start date and time: 25/05/202216:54:532022-05-25 16:54:53 +02:00
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 13m 40s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:pago.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                            Run name:Suspected Instruction Hammering
                                                                            Number of analysed new started processes analysed:6
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal80.troj.evad.winEXE@4/7@1/1
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HDC Information:
                                                                            • Successful, ratio: 21.9% (good quality ratio 21.5%)
                                                                            • Quality average: 88.2%
                                                                            • Quality standard deviation: 21.4%
                                                                            HCA Information:
                                                                            • Successful, ratio: 96%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Adjust boot time
                                                                            • Enable AMSI

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                            • TCP Packets have been reduced to 100
                                                                            • Excluded IPs from analysis (whitelisted): 20.93.58.141, 20.54.122.82
                                                                            • Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, wdcpalt.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing network information.
                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            16:57:16API Interceptor1394x Sleep call for process: CasPol.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            No context

                                                                            Domains

                                                                            No context

                                                                            ASNs

                                                                            No context

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\Adventure_15.bmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
                                                                            Category:dropped
                                                                            Size (bytes):10390
                                                                            Entropy (8bit):7.903542919804659
                                                                            Encrypted:false
                                                                            SSDEEP:192:oXRNg0EZjs8IqPEZuNsIVO+4maXz0/UXNmoSClcbUHDbq7QHofXMK5/AXBEC:KRN4sZAvBOFmGzGUIoSCabqHGXMU/aBZ
                                                                            MD5:A82E06031DCD06EB3C8A5FAD0F365431
                                                                            SHA1:C1EDFB9FA004A8959ABAD35AC80D85BBCE6D491A
                                                                            SHA-256:7B1FFF6C0A7F458D8DE95D0820E39C5501DC1E045B4DB29B9649A399DA77DC47
                                                                            SHA-512:C7D524633E84D8A58912E3BBAFF9A08DF9F0B54760CC5375BD30C11737D395BCD94BE9F3884D92B260BAF8A30956E025CBDC348C364BA6300B70D2EF73CDE83C
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:......JFIF.....d.d.....:Exif..MM.*......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....#~......o..f...Y...N..........Yi~..~-......V..y0.s....-.e..eR.O.....J...O.)..y...uo;...T~D1JWs)......c.A| dZ..a'...z..qR.._y..E~R......\.}...8...T~1i....w..H.{.!X..........3..P.' s....?m.._j.M...k..5.....?.~..Kxf..t.K...#.a..+...........p.e./..z..%5..W..O..wR.?.....?.F.}2.T.g...xgF......,..O"D...hf

                                                                            C:\Users\user\AppData\Local\Temp\BRUGERMSSIGE.dis

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):97167
                                                                            Entropy (8bit):6.6932651335642435
                                                                            Encrypted:false
                                                                            SSDEEP:1536:EfXAWCQ6T7mcMoluztlNfcC4VRZIoMbHSEfn+BAy+:Ev+Q6Wc+lNf8ioMbN+BP+
                                                                            MD5:6F25FEEFB6A9A623BA078478EE1AEEC2
                                                                            SHA1:4D3FD6287027B2DE74867136478569CCBF86631A
                                                                            SHA-256:C21E1406829942B630592ED3844D4F102A3C7DEF56B605B8DA16714A7373C235
                                                                            SHA-512:051A50DE535F20FC9928CAD362BBE896F1D04603E6372AADCC37707287B369BE5F36538CBCD879C666134112FC1A5D4A573B2FEE6BE0B8721596074B818ED562
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.............$...--------------------------.......`...f.......2.|mY..............................................f................Z................................f.....f.r...5..UX..................................................r.i.......b..2]..V..............................................f.....f..........+;..&=======================================.....f.s....f.....f......\k*ddddddddddddddddddddddddddd..f..j......2R.DY..............................................f.....~.f.....f.a.....1,).i---------------------------------------------f=o"f.u............./.........................................0..8.GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGf..9..........0e.#_.............................................,......f.b......7j..ooooooooooooooooooooooooooooooooooooooooooooooooooo.......o.f.e......'....ccccccccccccccccccccccccccccccccccc.......f.r......f.n..,.\.a........................................f...........f.`.f...f...................................................f.

                                                                            C:\Users\user\AppData\Local\Temp\Lovprisendes8.omb

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):48940
                                                                            Entropy (8bit):3.999620856152349
                                                                            Encrypted:false
                                                                            SSDEEP:768:Q6Ng3Z7BTx5kWGy0GXHhdq7R04CFNNGFdGf2c4nUqABwgtX0Y9ct4ekzzQ:dN4PrCaYRkrGF62c4UZBwe07t4hzU
                                                                            MD5:A41261EC6495500632E1437958CBD9EF
                                                                            SHA1:1F1AC7AAEA6BFA125C61D49AF3DB5BAA7282D0E4
                                                                            SHA-256:3C7C286698CCBE7918CAC68318462094EA40F6A8501CF5E947CFF2AB08612CF4
                                                                            SHA-512:18D3CB0A741607DEE4F09374842C2EA2E5093D3E8DFF7B8ED6A6022ED4622142B97C8C92A48A907F67FD3AE33E50A8B4337E55B3A18BB448CD6A08A94796EE93
                                                                            Malicious:false
                                                                            Preview:4A6D9A95C3AD8B8313D5017E5C7345F700E9ADFB7A0B74D8C58A24912FF5430FFA44EE0BBFFFE3187852D0D519CA9222A58A5FF8C8344F893B8242AA0D47F87ABE4B5A0D8432057C6C5A8AFDAF35E9C046A93DF774213E88282EC07A5A277F07C2AAB535B8395D8A04AD3AFAE72A30E5FFAD22A076630B63044E10C00CBB00D04546DCA6EAFCF96134C3701296FB556AE59919932D019C2E7BC07B81A2FD3DB232BBFF90A5D09102C73A40C9F6C41F9EB5A7C51CE1981D65896581B79A4C4ABB5DA400A6E990F3B0994BB9176DB70A4FE1C20F57C13073461FBD2D29B2D7C54496BD5F8F0500512300E99A9A8803F1D826E351306A5D182BA2AE764E7FAA4946A4405278969EE637F0D8E8D8F6558AA680C4A6B5FEBAB8A290ECC9E4326B3FA336893FFF7799D71AC90D1AC7BFF244CBC0F9E1B5BECA89F17C475A119EDF7804C53BB284FA391F934D93B1634C0D08B93E2A02229BF43EE204632CECD42385CDB38194671D2B42DE31B8E4558579042EA0A86C2E33520373DE6EA1A52C4080E0BFF3DBC347BE055739739B43AA4B727F004E5D8EA4071945D23FE0734503E17F9891C78D934DFA3C7B96BB3C7CBA197688C5DC1C3886679AD7C945D7987665A51F5AEDB4E3B9C8615DF12C8E9B4968870EC72403D9AE866BD8B23C9D197FE8516C30C7CD3697D5AC4099DFCFA9E0A6BA2617D581

                                                                            C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):19056
                                                                            Entropy (8bit):6.442411564417779
                                                                            Encrypted:false
                                                                            SSDEEP:384:8WhLWql40uIrRDTveaVEc2gK/uPHRN7xpJ/AlGseCvy:rfl40uqDTveaVCMxv/xj4y
                                                                            MD5:E3F74999CDB00FCAAA6A40A97B8F199B
                                                                            SHA1:F3A2C8DF8E98F7DCB49CBE5C4A717A6087A656D2
                                                                            SHA-256:6929BC473DF404FCED714F345479216B66B72ACF116061DF1CDD8ACAEE961333
                                                                            SHA-512:3BE3EEAB3304EFEB9594FA516B61528587CFA8453AB7B4AF991137E3A1D7E23270DA600FC341EEF703932CCFF53571ACF3CD00AEEAE47347CC36EE69B71DB37C
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(_+..........." ..... ...................................................P............`...@......@............... ...............................................&..p$...@..........T...............................................................H............text...X........ .................. ..`.data...D....0......."..............@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...V.i.s.u.a.l.C...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                            C:\Users\user\AppData\Local\Temp\application-exit-symbolic.symbolic.png

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                            Category:dropped
                                                                            Size (bytes):217
                                                                            Entropy (8bit):6.534586335380934
                                                                            Encrypted:false
                                                                            SSDEEP:6:6v/lhPysy9LkyYu1RTqYPVFb77PhjC0E6IO7lNX5p:6v/7SNkq1lRdh77Z46IO73X3
                                                                            MD5:92DBF28E22A2BFCDDA0BCC8FB01565D7
                                                                            SHA1:2FD88523B68E1F078F7A0728039017C4886F7154
                                                                            SHA-256:71D4F559AAECBD739CF9921FDA88072D125000E3E97BF2A534D3647D79505203
                                                                            SHA-512:00C886F5C2DDB4B979FF9BCE550D6B2AAC245087FB43EA94BED81587C356F664FF2A50BE42E0BABA0E1C3D62A45E73DD51DAD64CDCF262F616C81AA2365CEC34
                                                                            Malicious:false
                                                                            Preview:.PNG........IHDR................a....sBIT....|.d.....IDAT8...A.. .E..W(..]..q.nu.r.\..R.L.?....|f&.......p!......9gp....n...h........=)t..`.O.FM7...x#/..........-].a.?._....y.. 6X..J..... h.AW....I.P...Y.....IEND.B`.

                                                                            C:\Users\user\AppData\Local\Temp\nsrF138.tmp\System.dll

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):12288
                                                                            Entropy (8bit):5.814115788739565
                                                                            Encrypted:false
                                                                            SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                            MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\process-stop-symbolic.svg

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\pago.exe
                                                                            File Type:SVG Scalable Vector Graphics image
                                                                            Category:dropped
                                                                            Size (bytes):774
                                                                            Entropy (8bit):4.396237619919732
                                                                            Encrypted:false
                                                                            SSDEEP:24:2dPnnxu3nC7ZFftJhrV5VCpCCm2csZXyn1ekBhnrwdlj:cfnGC777LGx3U15rwb
                                                                            MD5:068B4AD014326E7A847F2F7BBCC1CE3A
                                                                            SHA1:7AAA833DBDA8BFBB882FA6545A9488E3A1D50943
                                                                            SHA-256:D44417A453C6EB038275C3A44A9523E0B2D6EF6297B89E1DE20FF87BA59A351C
                                                                            SHA-512:EDBDD70019CCB3E0CCB9599EC3479FF8166F9E121739D86BE06E10F52BA3DBC7FF4F81FA52558E725FD25D058A89B191FEE86B7FE61690D1CC1CBD246E329BBF
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <path d="m 2.003906 2 h 1 h 0.03125 c 0.253906 0.011719 0.507813 0.128906 0.6875 0.3125 l 4.28125 4.28125 l 4.3125 -4.28125 c 0.265625 -0.230469 0.445313 -0.304688 0.6875 -0.3125 h 1 v 1 c 0 0.285156 -0.035156 0.550781 -0.25 0.75 l -4.28125 4.28125 l 4.25 4.25 c 0.1875 0.1875 0.28125 0.453125 0.28125 0.71875 v 1 h -1 c -0.265625 0 -0.53125 -0.09375 -0.71875 -0.28125 l -4.28125 -4.28125 l -4.28125 4.28125 c -0.1875 0.1875 -0.453125 0.28125 -0.71875 0.28125 h -1 v -1 c 0 -0.265625 0.09375 -0.53125 0.28125 -0.71875 l 4.28125 -4.25 l -4.28125 -4.28125 c -0.210937 -0.195312 -0.304687 -0.46875 -0.28125 -0.75 z m 0 0" fill="#2e3436"/>.</svg>.

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Entropy (8bit):7.043083620309494
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:pago.exe
                                                                            File size:271408
                                                                            MD5:41db491c763c2aa61a8f4305591e3139
                                                                            SHA1:20c45ae71feccf738620764f70154f0ac5b6ac59
                                                                            SHA256:904211f6f92bb8e96d8a56077c3b95ed22c746ee17caf7fb769d786821521585
                                                                            SHA512:4626fa0b838883da5960e341fcb7e23f8cdf1df106bf73ac1ca340d8580a15384ff0beaefd0cbfc841b6b73807ce614ef788e515b3c3f456841874496ed5f781
                                                                            SSDEEP:6144:TbE/HUUZ2WM2HSOCDIqfmFE/xgCT3ZkANqLT:TbJ2y5DwS/xgkJkj
                                                                            TLSH:9F44B041F3C0ECF6E46194B3E82ED3640A57EE59C0A68B1B22567A172CA33D31657EC7
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                                                                            File Icon

                                                                            Icon Hash:e4c2aeaebcb0f004

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x40352d
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                            Authenticode Signature

                                                                            Signature Valid:false
                                                                            Signature Issuer:CN="Brugerinitialerne1 Naaet5 SHELFS ", O=Thorleks, L=Washington, S=District of Columbia, C=US
                                                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                            Error Number:-2146762487
                                                                            Not Before, Not After
                                                                            • 24/05/2022 02:23:57 24/05/2023 02:23:57
                                                                            Subject Chain
                                                                            • CN="Brugerinitialerne1 Naaet5 SHELFS ", O=Thorleks, L=Washington, S=District of Columbia, C=US
                                                                            Version:3
                                                                            Thumbprint MD5:A18E59CB3B586070B1D452E15DBA379F
                                                                            Thumbprint SHA-1:9676FFAA1E0AE9B83CDEB62AF1657A1C07483B3E
                                                                            Thumbprint SHA-256:FA06C8621275BD31C7EA9C2886C8C7FA106B7635FE9F3ADC5EC24510DC441350
                                                                            Serial:843A121514829DD0

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            push ebp
                                                                            mov ebp, esp
                                                                            sub esp, 000003F4h
                                                                            push ebx
                                                                            push esi
                                                                            push edi
                                                                            push 00000020h
                                                                            pop edi
                                                                            xor ebx, ebx
                                                                            push 00008001h
                                                                            mov dword ptr [ebp-14h], ebx
                                                                            mov dword ptr [ebp-04h], 0040A2E0h
                                                                            mov dword ptr [ebp-10h], ebx
                                                                            call dword ptr [004080CCh]
                                                                            mov esi, dword ptr [004080D0h]
                                                                            lea eax, dword ptr [ebp-00000140h]
                                                                            push eax
                                                                            mov dword ptr [ebp-0000012Ch], ebx
                                                                            mov dword ptr [ebp-2Ch], ebx
                                                                            mov dword ptr [ebp-28h], ebx
                                                                            mov dword ptr [ebp-00000140h], 0000011Ch
                                                                            call esi
                                                                            test eax, eax
                                                                            jne 00007F1EA8BA903Ah
                                                                            lea eax, dword ptr [ebp-00000140h]
                                                                            mov dword ptr [ebp-00000140h], 00000114h
                                                                            push eax
                                                                            call esi
                                                                            mov ax, word ptr [ebp-0000012Ch]
                                                                            mov ecx, dword ptr [ebp-00000112h]
                                                                            sub ax, 00000053h
                                                                            add ecx, FFFFFFD0h
                                                                            neg ax
                                                                            sbb eax, eax
                                                                            mov byte ptr [ebp-26h], 00000004h
                                                                            not eax
                                                                            and eax, ecx
                                                                            mov word ptr [ebp-2Ch], ax
                                                                            cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                            jnc 00007F1EA8BA900Ah
                                                                            and word ptr [ebp-00000132h], 0000h
                                                                            mov eax, dword ptr [ebp-00000134h]
                                                                            movzx ecx, byte ptr [ebp-00000138h]
                                                                            mov dword ptr [00434FB8h], eax
                                                                            xor eax, eax
                                                                            mov ah, byte ptr [ebp-0000013Ch]
                                                                            movzx eax, ax
                                                                            or eax, ecx
                                                                            xor ecx, ecx
                                                                            mov ch, byte ptr [ebp-2Ch]
                                                                            movzx ecx, cx
                                                                            shl eax, 10h
                                                                            or eax, ecx

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x19100.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x405700x1ec0.ndata
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x68970x6a00False0.666126179245data6.45839821493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x80000x14a60x1600False0.439275568182data5.02410928126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0xa0000x2b0180x600False0.521484375data4.15458210409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                            .ndata0x360000x360000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x6c0000x191000x19200False0.288858442164data4.88265504154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x6c2c80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 16777216, next used block 16777216EnglishUnited States
                                                                            RT_ICON0x7caf00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                            RT_ICON0x80d180x25a8dataEnglishUnited States
                                                                            RT_ICON0x832c00x10a8dataEnglishUnited States
                                                                            RT_ICON0x843680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                            RT_DIALOG0x847d00x100dataEnglishUnited States
                                                                            RT_DIALOG0x848d00x11cdataEnglishUnited States
                                                                            RT_DIALOG0x849f00xc4dataEnglishUnited States
                                                                            RT_DIALOG0x84ab80x60dataEnglishUnited States
                                                                            RT_GROUP_ICON0x84b180x4cdataEnglishUnited States
                                                                            RT_VERSION0x84b680x254dataEnglishUnited States
                                                                            RT_MANIFEST0x84dc00x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                            Imports

                                                                            DLLImport
                                                                            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                            Version Infos

                                                                            DescriptionData
                                                                            LegalCopyrightmoletsgavn
                                                                            FileVersion7.22.20
                                                                            CompanyNamewimpinessgri
                                                                            LegalTrademarksGear255
                                                                            CommentsDraabet
                                                                            ProductNameAfspnd
                                                                            FileDescriptionUKONVENTIO
                                                                            Translation0x0409 0x04b0

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            May 25, 2022 16:57:17.362483978 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.362586975 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.362759113 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.383088112 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.383141994 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.432952881 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.433126926 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.433232069 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.436079979 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.436358929 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.567878008 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.567965984 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.568682909 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.568819046 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.572362900 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.614641905 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.766274929 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.766446114 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.766532898 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.766654968 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.766777992 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.766958952 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.767080069 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.767229080 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.767302036 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.767417908 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.767453909 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.767544031 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.767596960 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.767674923 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.772680044 CEST49746443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.772742987 CEST44349746142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.940288067 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.940325022 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.940489054 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.940845013 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.940850973 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.968775988 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:17.968905926 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.969152927 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.969376087 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:17.969403028 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.149180889 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.149339914 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.149389029 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.149545908 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.149585009 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.149733067 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.149768114 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.149919987 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.149962902 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.150181055 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.150260925 CEST49747443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.150298119 CEST44349747142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.314505100 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.314588070 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.314732075 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.315243006 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.315304041 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.350122929 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.350310087 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.350632906 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.350826979 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.351031065 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.519058943 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.519181013 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.519226074 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.519257069 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.519368887 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.519505978 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.519552946 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.519746065 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.520512104 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.520656109 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.520700932 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.520759106 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.520780087 CEST44349748142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.520817995 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.520922899 CEST49748443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.705384970 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.705459118 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.705650091 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.706238031 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.706284046 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.738774061 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.738893986 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.739399910 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.739589930 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.739844084 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.901290894 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.901453018 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.901514053 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.901667118 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.901696920 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.901901007 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.901957035 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.902156115 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.902239084 CEST44349749142.250.185.78192.168.11.20
                                                                            May 25, 2022 16:57:18.902359009 CEST49749443192.168.11.20142.250.185.78
                                                                            May 25, 2022 16:57:18.902388096 CEST44349749142.250.185.78192.168.11.20

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            May 25, 2022 16:57:17.345375061 CEST192.168.11.201.1.1.10x86caStandard query (0)drive.google.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            May 25, 2022 16:57:17.354451895 CEST1.1.1.1192.168.11.200x86caNo error (0)drive.google.com142.250.185.78A (IP address)IN (0x0001)

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:1
                                                                            Start time:16:56:44
                                                                            Start date:25/05/2022
                                                                            Path:C:\Users\user\Desktop\pago.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\pago.exe"
                                                                            Imagebase:0x400000
                                                                            File size:271408 bytes
                                                                            MD5 hash:41DB491C763C2AA61A8F4305591E3139
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.10964117045.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low

                                                                            General

                                                                            Target ID:3
                                                                            Start time:16:57:04
                                                                            Start date:25/05/2022
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\pago.exe"
                                                                            Imagebase:0xce0000
                                                                            File size:108664 bytes
                                                                            MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000000.10305977883.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:moderate

                                                                            General

                                                                            Target ID:4
                                                                            Start time:16:57:04
                                                                            Start date:25/05/2022
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7c3b60000
                                                                            File size:875008 bytes
                                                                            MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate

                                                                            Disassembly

                                                                            No disassembly