Source: |
Binary string: calc.pdbGCTL source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852558870.000001A2C46E1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852439079.000001A2C46DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851615477.000001A2C4722000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865516494.000001A2C46F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852507533.000001A2C4710000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852261324.000001A2C46D5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852234112.000001A2C438F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr |
Source: |
Binary string: PSReadline.pdbaK source: powershell.exe, 00000011.00000002.1635136687.0000029E326E4000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E323A0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: easinvoker.pdb source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr |
Source: |
Binary string: _.pdb source: bwsiuvcU.pif, 00000017.00000002.1680345757.000000003DA95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000003.1516343993.000000003BDC9000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681909755.0000000040260000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1681582310.000000003EDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1787983024.0000000025D95000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1791650361.00000000284A0000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1634916828.0000000023FF4000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1790805820.0000000026F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555827704.0000000040350000.00000004.08000000.00040000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000003.1719620200.000000003BD8F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554498447.000000003DA65000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2555544877.000000003ED31000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: calc.pdb source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1855006902.000001A2C46D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852363981.000001A2C46CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852067245.000001A2C4393000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1851691454.000001A2C438D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1865380060.000001A2C46D1000.00000004.00000020.00020000.00000000.sdmp, yt[1].hta.9.dr |
Source: |
Binary string: easinvoker.pdbH source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.19.dr |
Source: |
Binary string: owershell.PSReadline.pdb source: powershell.exe, 00000011.00000002.1629294581.0000029E32432000.00000004.00000020.00020000.00000000.sdmp |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: powershell.exe, 00000011.00000002.1634145596.0000029E324B0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: svchost.exe, 0000000E.00000002.2531370506.0000021C38E00000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0# |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://mail.irmaklarpaslanmaz.com.tr |
Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.sectigo.com0C |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://r3.i.lencr.org/0o |
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://r3.o.lencr.org0 |
Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000F.00000002.1839645117.000002B07C378000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.o |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: uc.exe, uc.exe, 00000013.00000002.1514685918.0000000014B20000.00000004.00000020.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1503584552.00000000029AB000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1438376010.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000000.1494201950.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 00000019.00000000.1623023662.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif, 0000001B.00000000.1707510490.0000000000416000.00000002.00000001.01000000.0000000F.sdmp, bwsiuvcU.pif.19.dr |
String found in binary or memory: http://www.pmail.com |
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://x1.c.lencr.org/0 |
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DE3A000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683385991.0000000041372000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1677075916.000000003BE2B000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000017.00000002.1683295114.0000000041300000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1793876103.0000000029440000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000003.1711636457.000000002944F000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025FC9000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1794000591.00000000294C3000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD89000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2552799293.000000003BDB8000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556860764.0000000041253000.00000004.00000020.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2556758276.00000000411C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://x1.i.lencr.org/0 |
Source: bwsiuvcU.pif, 00000017.00000002.1680679015.000000003DDE1000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 00000019.00000002.1788431061.0000000025F71000.00000004.00000800.00020000.00000000.sdmp, bwsiuvcU.pif, 0000001B.00000002.2554879629.000000003DD31000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: powershell.exe, 0000000F.00000002.1678474741.000002B000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A051000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38CD9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/Prod1C: |
Source: svchost.exe, 0000000E.00000003.1320362193.0000021C38C80000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C: |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A30E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000F.00000002.1678474741.000002B0011BC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://live.com/ |
Source: powershell.exe, 0000000F.00000002.1813302246.000002B010082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1813302246.000002B0101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1546422130.0000029E2A0E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: uc.exe, 00000013.00000002.1496845420.00000000007AB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/_ |
Source: uc.exe, 00000013.00000002.1500694013.00000000025ED000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/downlo |
Source: uc.exe, 00000013.00000002.1500694013.00000000025D0000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21220&authkey= |
Source: uc.exe, 00000013.00000002.1522999509.000000007F110000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1484341783.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000003.1485374798.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, uc.exe, 00000013.00000002.1500694013.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Ucvuiswb.PIF, 00000018.00000002.1651090812.0000000013BAF000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://sessosesso.it |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A4D9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://sessosesso.it/assets/aw/Book1.xlsx |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it |
Source: mshta.exe, 00000009.00000002.1863478690.0000019AC1727000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1724000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/ |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A557000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/Book1.xlsx |
Source: powershell.exe, 00000011.00000002.1450441892.0000029E1A55B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/uc.exep |
Source: mshta.exe, 00000009.00000002.1865747161.000001A2C9C00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta |
Source: mshta.exe, 00000009.00000002.1864667684.000001A2C42A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta... |
Source: mshta.exe, 00000009.00000003.1852414679.0000019AC1771000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000009.00000003.1852117667.0000019AC1757000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta...- |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta1 |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16F7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta5 |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta6288 |
Source: FT. 40FE CNY .xlsx.lnk |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaAC: |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC1680000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaC: |
Source: mshta.exe, 00000009.00000003.1853065476.000001A2C46E5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaDe |
Source: mshta.exe, 00000009.00000002.1863790955.0000019AC1850000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaH |
Source: mshta.exe, 00000009.00000002.1863703689.0000019AC1772000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaLMEMX |
Source: mshta.exe, 00000009.00000002.1863884931.0000019AC19B0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaPS_BROW |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaU |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC16A6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.hta_ |
Source: mshta.exe, 00000009.00000003.1859449128.000001A2C48C5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htahttps://www.sessosesso.it/assets/aw/yt.hta |
Source: mshta.exe, 00000009.00000002.1863133474.0000019AC170A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sessosesso.it/assets/aw/yt.htaindows |
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://zyupsq.by.files.1drv.com/ |
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://zyupsq.by.files.1drv.com/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY17Y2 |
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://zyupsq.by.files.1drv.com/y4meSWi_sxRIVEad6REzmio40CREEc5i8wX7nys_a0wT5VjuHcwzIZewYF7haE8C4Cu |
Source: uc.exe, 00000013.00000002.1496845420.000000000081B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://zyupsq.by.files.1drv.com:443/y4mZWAAbbWbD2Z_SLbFHXttkWK-AZlqt62tunxr4xpHZuH07d5XHa5kbVXE61GY |
Source: amsi64_7800.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPED |
Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_0299C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, |
19_2_0299C3F8 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_0299C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, |
19_2_0299C368 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_0299C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, |
19_2_0299C4DC |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_02997AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, |
19_2_02997AC0 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_02997968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, |
19_2_02997968 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_02997F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, |
19_2_02997F48 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_0299C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, |
19_2_0299C3F6 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_02997966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, |
19_2_02997966 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_02997F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, |
19_2_02997F46 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028BC4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, |
24_2_028BC4DC |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028B7AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, |
24_2_028B7AC0 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028B7968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, |
24_2_028B7968 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028B7F48 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, |
24_2_028B7F48 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028BC3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, |
24_2_028BC3F8 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028BC3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, |
24_2_028BC3F6 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028BC368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, |
24_2_028BC368 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028B7966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, |
24_2_028B7966 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028B7F46 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread, |
24_2_028B7F46 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 15_2_00007FFAAB970E65 |
15_2_00007FFAAB970E65 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB955F80 |
17_2_00007FFAAB955F80 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB9834B8 |
17_2_00007FFAAB9834B8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB95BC90 |
17_2_00007FFAAB95BC90 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB95BC35 |
17_2_00007FFAAB95BC35 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB95BB3B |
17_2_00007FFAAB95BB3B |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB95E318 |
17_2_00007FFAAB95E318 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB95BA99 |
17_2_00007FFAAB95BA99 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB95DFE0 |
17_2_00007FFAAB95DFE0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAAB96CEA0 |
17_2_00007FFAAB96CEA0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAABA2362E |
17_2_00007FFAABA2362E |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 17_2_00007FFAABA232A0 |
17_2_00007FFAABA232A0 |
Source: C:\Users\user\AppData\Roaming\uc.exe |
Code function: 19_2_029820C4 |
19_2_029820C4 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00408C60 |
23_2_00408C60 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_0040DC11 |
23_2_0040DC11 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00407C3F |
23_2_00407C3F |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00418CCC |
23_2_00418CCC |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00406CA0 |
23_2_00406CA0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_004028B0 |
23_2_004028B0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_0041A4BE |
23_2_0041A4BE |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00418244 |
23_2_00418244 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00401650 |
23_2_00401650 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00402F20 |
23_2_00402F20 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_004193C4 |
23_2_004193C4 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00418788 |
23_2_00418788 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00402F89 |
23_2_00402F89 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_00402B90 |
23_2_00402B90 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_004073A0 |
23_2_004073A0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_3D941030 |
23_2_3D941030 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_3D941020 |
23_2_3D941020 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411B99A0 |
23_2_411B99A0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411B1220 |
23_2_411B1220 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411B1AF0 |
23_2_411B1AF0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411BCD30 |
23_2_411BCD30 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411B0ED8 |
23_2_411B0ED8 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411B3EDF |
23_2_411B3EDF |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_411B3EF0 |
23_2_411B3EF0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41454570 |
23_2_41454570 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41450040 |
23_2_41450040 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_414560F0 |
23_2_414560F0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41453370 |
23_2_41453370 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_4145F3D1 |
23_2_4145F3D1 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41459B90 |
23_2_41459B90 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_4145ABB0 |
23_2_4145ABB0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_4145D1A8 |
23_2_4145D1A8 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41453AB7 |
23_2_41453AB7 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41D65168 |
23_2_41D65168 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_2_41D60990 |
23_2_41D60990 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00408C60 |
23_1_00408C60 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_0040DC11 |
23_1_0040DC11 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00407C3F |
23_1_00407C3F |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00418CCC |
23_1_00418CCC |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00406CA0 |
23_1_00406CA0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_004028B0 |
23_1_004028B0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_0041A4BE |
23_1_0041A4BE |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00418244 |
23_1_00418244 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00401650 |
23_1_00401650 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00402F20 |
23_1_00402F20 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_004193C4 |
23_1_004193C4 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00418788 |
23_1_00418788 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00402F89 |
23_1_00402F89 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_00402B90 |
23_1_00402B90 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 23_1_004073A0 |
23_1_004073A0 |
Source: C:\Users\Public\Libraries\Ucvuiswb.PIF |
Code function: 24_2_028A20C4 |
24_2_028A20C4 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00408C60 |
25_2_00408C60 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_0040DC11 |
25_2_0040DC11 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00407C3F |
25_2_00407C3F |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00418CCC |
25_2_00418CCC |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00406CA0 |
25_2_00406CA0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_004028B0 |
25_2_004028B0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_0041A4BE |
25_2_0041A4BE |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00418244 |
25_2_00418244 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00401650 |
25_2_00401650 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00402F20 |
25_2_00402F20 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_004193C4 |
25_2_004193C4 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00418788 |
25_2_00418788 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00402F89 |
25_2_00402F89 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_00402B90 |
25_2_00402B90 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_004073A0 |
25_2_004073A0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_25B81030 |
25_2_25B81030 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_25B81020 |
25_2_25B81020 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29439A58 |
25_2_29439A58 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29431AF0 |
25_2_29431AF0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29430ED8 |
25_2_29430ED8 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29433EEC |
25_2_29433EEC |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29433EF0 |
25_2_29433EF0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29431220 |
25_2_29431220 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296DF3D1 |
25_2_296DF3D1 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296DABB0 |
25_2_296DABB0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296D9B90 |
25_2_296D9B90 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296D4570 |
25_2_296D4570 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296D0680 |
25_2_296D0680 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296DD1A8 |
25_2_296DD1A8 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_296D3AB7 |
25_2_296D3AB7 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29CB15FC |
25_2_29CB15FC |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29CB15F0 |
25_2_29CB15F0 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29FE0990 |
25_2_29FE0990 |
Source: C:\Users\Public\Libraries\bwsiuvcU.pif |
Code function: 25_2_29FE5168 |
25_2_29FE5168 |
Source: amsi64_7800.amsi.csv, type: OTHER |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: 23.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 25.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 25.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 23.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 27.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 25.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 27.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 23.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 23.1.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 27.2.bwsiuvcU.pif.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 27.1.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 25.2.bwsiuvcU.pif.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000019.00000001.1624046151.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000019.00000002.1732584170.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0000001B.00000002.2524457336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000017.00000001.1494452738.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0000001B.00000001.1707928386.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000017.00000002.1639938993.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: Process Memory Space: powershell.exe PID: 7688, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: C:\Users\Public\Libraries\UcvuiswbO.bat, type: DROPPED |
Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload |