Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DDCB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free, |
8_2_00007FF7F1DDCB60 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DDF310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
8_2_00007FF7F1DDF310 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DDF4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
8_2_00007FF7F1DDF4E0 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE64F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, |
8_2_00007FF7F1DE64F0 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE9C9C CryptHashData, |
8_2_00007FF7F1DE9C9C |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
8_2_00007FF7F1DE9C20 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE9BD0 CryptAcquireContextA,CryptCreateHash, |
8_2_00007FF7F1DE9BD0 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, |
8_2_00007FF7F1DE934C |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE8F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, |
8_2_00007FF7F1DE8F14 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE6560 CryptHashData, |
8_2_00007FF7F1DE6560 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 8_2_00007FF7F1DE6570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
8_2_00007FF7F1DE6570 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E8CB60 _strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free, |
12_2_00007FF700E8CB60 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E8F310 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
12_2_00007FF700E8F310 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E99BD0 CryptAcquireContextA,CryptCreateHash, |
12_2_00007FF700E99BD0 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E9934C CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, |
12_2_00007FF700E9934C |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E964F0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, |
12_2_00007FF700E964F0 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E8F4E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
12_2_00007FF700E8F4E0 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E99C9C CryptHashData, |
12_2_00007FF700E99C9C |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E99C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
12_2_00007FF700E99C20 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E96570 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
12_2_00007FF700E96570 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E96560 CryptHashData, |
12_2_00007FF700E96560 |
Source: C:\GSlLzFnTov\GSlLzFnTov.exe |
Code function: 12_2_00007FF700E98F14 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, |
12_2_00007FF700E98F14 |
Source: |
Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: lib.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: on.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.1453710911.0000026329A81000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1437718358.0000026329676000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: curl.pdb source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr |
Source: |
Binary string: .pdb8; source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: 089\System.Core.pdb source: powershell.exe, 00000006.00000002.1453411821.0000026329A40000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: *on.pdb source: powershell.exe, 00000006.00000002.1436302402.000002632961D000.00000004.00000020.00020000.00000000.sdmp |
Source: GSlLzFnTov.exe |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 00000008.00000000.1395554704.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 00000008.00000002.1415478056.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 00000009.00000002.1453592808.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 00000009.00000000.1415716755.00007FF7F1DEE000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: GSlLzFnTov.exe.1.dr |
String found in binary or memory: Usage: curl [options...] <url> |
Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000006.00000002.1332486385.000002630F825000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000003.00000002.1321328788.000001EFDF7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1332789256.00000263114C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: GSlLzFnTov.exe |
String found in binary or memory: https://curl.se/ |
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr |
String found in binary or memory: https://curl.se/P |
Source: GSlLzFnTov.exe |
String found in binary or memory: https://curl.se/docs/copyright.html |
Source: GSlLzFnTov.exe, 00000008.00000000.1395599061.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 00000009.00000002.1453696864.00007FF7F1E10000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000000.1460845940.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503652165.00007FF700EC0000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr |
String found in binary or memory: https://curl.se/docs/copyright.htmlD |
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr |
String found in binary or memory: https://curl.se/docs/hsts.html |
Source: GSlLzFnTov.exe |
String found in binary or memory: https://curl.se/docs/hsts.html# |
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr |
String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: GSlLzFnTov.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html# |
Source: GSlLzFnTov.exe, GSlLzFnTov.exe, 0000000C.00000000.1460809196.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1484133596.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000002.1503582036.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe, 0000000E.00000000.1484395249.00007FF700E9E000.00000002.00000001.01000000.00000007.sdmp, GSlLzFnTov.exe.1.dr |
String found in binary or memory: https://curl.se/docs/sslcerts.html |
Source: GSlLzFnTov.exe |
String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl |
Source: GSlLzFnTov.exe.1.dr |
String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html |
Source: powershell.exe, 00000006.00000002.1332789256.00000263116E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000006.00000002.1332789256.0000026312AE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv= |
Source: knfV5IVjEV.lnk |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago |
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481469904.000001C4E455D000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0 |
Source: GSlLzFnTov.exe, 0000000C.00000002.1482744214.000001C4E4517000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0% |
Source: GSlLzFnTov.exe, 00000008.00000003.1414842290.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com |
Source: GSlLzFnTov.exe, 00000008.00000003.1414909781.0000024D89B89000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481445331.000001C4E4524000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000002.1483163619.000001C4E4528000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 0000000C.00000003.1481507863.000001C4E4527000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0jethropc.com## |
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0rz |
Source: GSlLzFnTov.exe, 00000008.00000002.1415329869.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1414994550.0000024D89B63000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000008.00000003.1415114903.0000024D89B66000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey0wz |
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1 |
Source: GSlLzFnTov.exe, 00000009.00000002.1438709537.000002AD152F0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1Pu_ |
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1T |
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1e |
Source: GSlLzFnTov.exe, 00000009.00000003.1435646730.000002AD15329000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.com##O |
Source: GSlLzFnTov.exe, 00000009.00000003.1435462912.000002AD15329000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1jethropc.comqu |
Source: GSlLzFnTov.exe, 0000000E.00000002.1503333491.0000022C409D8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1ji2 |
Source: GSlLzFnTov.exe, 00000009.00000002.1453222250.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436426767.000002AD15306000.00000004.00000020.00020000.00000000.sdmp, GSlLzFnTov.exe, 00000009.00000003.1436313162.000002AD15303000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jethropc.com/wp-admin/css/temp/hurry/?rv=papago&za=honey1y |
Source: powershell.exe, 00000003.00000002.1371102592.000001EFEF822000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1371102592.000001EFEF965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321533000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1421186731.0000026321675000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: knfV5IVjEV.lnk, type: SAMPLE |
Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth |
Source: amsi64_7732.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: 00000003.00000002.1385766867.000001EFF7B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth |
Source: 00000003.00000002.1383867622.000001EFF7AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR |
Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |