Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_00406873 FindFirstFileW,FindClose, | 0_2_00406873 |
Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, | 0_2_00405C49 |
Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_0040290B FindFirstFileW, | 0_2_0040290B |
Source: C:\Users\user\AppData\Roaming\misv.exe | Code function: 16_2_00406873 FindFirstFileW,FindClose, | 16_2_00406873 |
Source: C:\Users\user\AppData\Roaming\misv.exe | Code function: 16_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, | 16_2_00405C49 |
Source: C:\Users\user\AppData\Roaming\misv.exe | Code function: 16_2_0040290B FindFirstFileW, | 16_2_0040290B |
Source: CasPol.exe, 00000007.00000002.574115115.000000001E4A1000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 00000007.00000002.574115115.000000001E4A1000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp, CasPol.exe, 00000007.00000003.518887334.0000000001667000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: sKxsGhU1Wg.exe, misv.exe.7.dr | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: CasPol.exe, 00000007.00000002.574115115.000000001E4A1000.00000004.00000001.sdmp | String found in binary or memory: http://rOTpQz.com |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: http://s.symcd.com06 |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: CasPol.exe, 00000007.00000002.574115115.000000001E4A1000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: https://d.symcb.com/cps0% |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: sKxsGhU1Wg.exe, 00000000.00000002.305120971.000000000040D000.00000004.00020000.sdmp, sKxsGhU1Wg.exe, 00000000.00000002.305143425.0000000000427000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531379693.0000000000425000.00000004.00020000.sdmp, misv.exe, 00000010.00000002.531332116.000000000040F000.00000004.00020000.sdmp, misv.exe.16.dr, Acly3.exe.0.dr | String found in binary or memory: https://d.symcb.com/rpa0. |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp | String found in binary or memory: https://eruitg.bl.files.1drv.com/ |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp | String found in binary or memory: https://eruitg.bl.files.1drv.com/J8 |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp, CasPol.exe, 00000007.00000003.518887334.0000000001667000.00000004.00000001.sdmp, CasPol.exe, 00000007.00000002.569873651.000000000164C000.00000004.00000020.sdmp | String found in binary or memory: https://eruitg.bl.files.1drv.com/y4mHkTfggODxx7RkoqQxmNWfCL9FqVrcaBSQyvxAjjL4nb6ixOwtQYT-CR8mlHIv8F6 |
Source: CasPol.exe, 00000007.00000003.520013739.00000000016A6000.00000004.00000001.sdmp | String found in binary or memory: https://eruitg.bl.files.1drv.com/y4mmHvF7gtDYcEKVAssw8HHYEmYy3e8Ia5MiUMo-LLWA4ncs-iDGRsmtfbC3LjnmU1r |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp | String found in binary or memory: https://fspzka.bl.files.1drv.com/ |
Source: CasPol.exe, 00000007.00000003.525455431.000000001E051000.00000004.00000001.sdmp, CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp, CasPol.exe, 00000007.00000003.525432805.00000000016DC000.00000004.00000001.sdmp, CasPol.exe, 00000007.00000002.569866465.0000000001646000.00000004.00000020.sdmp | String found in binary or memory: https://fspzka.bl.files.1drv.com/y4m1xaMmJywZq6SCR6mVqa7Op5my9_PY7iegM-lArgf5nc3THKAdgguhWrxWSKxFgJ3 |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp, CasPol.exe, 00000007.00000003.526535753.000000001E055000.00000004.00000001.sdmp | String found in binary or memory: https://fspzka.bl.files.1drv.com/y4mOjkceJ6izWrzWM13rG3hQXo0-P1_gDe3S_t4ZWc__sfMR4hK-pncdB-od0qFCPrP |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp | String found in binary or memory: https://onedrive.live.com/ |
Source: CasPol.exe, 00000007.00000002.569760850.00000000015E7000.00000004.00000020.sdmp | String found in binary or memory: https://onedrive.live.com/_ |
Source: CasPol.exe, 00000007.00000002.569845526.0000000001632000.00000004.00000020.sdmp | String found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6X |
Source: CasPol.exe, 00000007.00000002.569845526.0000000001632000.00000004.00000020.sdmp | String found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200 |
Source: CasPol.exe, 00000007.00000002.569911797.0000000001667000.00000004.00000020.sdmp | String found in binary or memory: https://onedrive.live.com/ve.live.com/Q7 |
Source: CasPol.exe, 00000007.00000002.569760850.00000000015E7000.00000004.00000020.sdmp | String found in binary or memory: https://onedrive.live.com/w |
Source: CasPol.exe, 00000007.00000002.574115115.000000001E4A1000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, | 0_2_004056DE |
Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, | 0_2_0040352D |
Source: C:\Users\user\AppData\Roaming\misv.exe | Code function: 16_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, | 16_2_0040352D |
Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_0040755C | 0_2_0040755C |
Source: C:\Users\user\Desktop\sKxsGhU1Wg.exe | Code function: 0_2_00406D85 | 0_2_00406D85 |
Source: C:\Users\user\AppData\Local\Temp\Acly3.exe | Code function: 1_2_00401724 | 1_2_00401724 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 7_2_01114840 | 7_2_01114840 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 7_2_1E383D2C | 7_2_1E383D2C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 7_2_1E384800 | 7_2_1E384800 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | Code function: 7_2_1E3854F2 | 7_2_1E3854F2 |
Source: C:\Users\user\AppData\Roaming\misv.exe | Code function: 16_2_0040755C | 16_2_0040755C |
Source: C:\Users\user\AppData\Roaming\misv.exe | Code function: 16_2_00406D85 | 16_2_00406D85 |
Source: C:\Users\user\AppData\Local\Temp\misv.exe | Code function: 17_2_00401724 | 17_2_00401724 |
Source: C:\Users\user\AppData\Local\Temp\misv.exe | Code function: 17_2_0369405C | 17_2_0369405C |
Source: C:\Users\user\AppData\Local\Temp\misv.exe | Code function: 17_2_0368CC33 | 17_2_0368CC33 |
Source: C:\Users\user\AppData\Local\Temp\misv.exe | Code function: 17_2_03694AA2 | 17_2_03694AA2 |
Source: C:\Users\user\AppData\Local\Temp\misv.exe | Code function: 17_2_0368C781 | 17_2_0368C781 |