Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.3.243.154 |
Source: powershell.exe, 00000003.00000002.1778680417.000001F40D101000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://192.3.243.154 |
Source: powershell.exe, 00000003.00000002.1778680417.000001F40D101000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://192.3.243.154/yobro.txt |
Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.2120789924.000001EC000A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1778680417.000001F406751000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: powershell.exe, 00000001.00000002.2120789924.000001EC00051000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000001.00000002.2120789924.000001EC0006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1778680417.000001F406751000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/ |
Source: wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1687834660.000002262D153000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1689136984.000002262D068000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D158000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/gK5wA |
Source: wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/gK5wA; |
Source: wscript.exe, 00000000.00000002.1689631112.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688154539.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688844641.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688770085.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/gK5wAR |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br |
Source: powershell.exe, 00000003.00000002.1777989868.000001F4047AA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br/ |
Source: powershell.exe, 00000003.00000002.1777989868.000001F4046C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887 |
Source: powershell.exe, 00000003.00000002.1777989868.000001F4046C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888 |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3744, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |