Source: 00000004.00000000.9599862786.0000000000F00000.00000040.00000400.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://www.fides-kenya.com/yem/wam.bin"} |
Source: SecuriteInfo.com.generic.ml.22865.exe.6932.1.memstrmin |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1570476458", "Chat URL": "https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument"} |
Source: CasPol.exe.2696.4.memstrmin |
Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendMessage"} |
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe |
Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
1_2_00405D74 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe |
Code function: 1_2_0040290B FindFirstFileW, |
1_2_0040290B |
Source: C:\Users\user\Desktop\SecuriteInfo.com.generic.ml.22865.exe |
Code function: 1_2_0040699E FindFirstFileW,FindClose, |
1_2_0040699E |
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi |
Source: CasPol.exe, 00000004.00000002.14467253332.000000001D621000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.9740041211.000000001C441000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.14468117275.000000001D6D0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://V58nqJBvA8Uitwi1EyuW.com |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: network-server.png.1.dr |
String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/ |
Source: CasPol.exe, 00000004.00000002.14475025923.000000001FD16000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: CasPol.exe, 00000004.00000002.14475025923.000000001FD16000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://hqQZjN.com |
Source: SecuriteInfo.com.generic.ml.22865.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, MpCommu.dll.1.dr |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, SourceCodePro-Black.otf.1.dr |
String found in binary or memory: http://scripts.sil.org/OFLSource |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://www.avast.com0/ |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: CasPol.exe, 00000004.00000002.14444614539.000000000112B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.fides-kenya.com/yem/wam.bin |
Source: CasPol.exe, 00000004.00000002.14467843631.000000001D698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org |
Source: CasPol.exe, 00000004.00000002.14444961038.0000000001165000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/ |
Source: CasPol.exe, 00000004.00000002.14467843631.000000001D698000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument |
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocumentdocument----- |
Source: CasPol.exe, 00000004.00000002.14472003206.000000001DA5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/ |
Source: CasPol.exe, 00000004.00000002.14471972041.000000001DA5A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com// |
Source: CasPol.exe, 00000004.00000002.14471972041.000000001DA5A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/https://login.live.com/ |
Source: CasPol.exe, 00000004.00000002.14471972041.000000001DA5A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/v104 |
Source: CasPol.exe, 00000004.00000002.14472003206.000000001DA5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash |
Source: SecuriteInfo.com.generic.ml.22865.exe, 00000001.00000002.9737691704.0000000002917000.00000004.00000800.00020000.00000000.sdmp, lang-1034.dll.1.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: CasPol.exe, 00000004.00000002.14466824232.000000001D5C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www |
Source: CasPol.exe, 00000004.00000002.14467253332.000000001D621000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_polic |