Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: wscript.exe, 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.879648858.000000D426DC1000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098 |
Source: wscript.exe, 00000012.00000002.880111499.0000026BB17E2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vre |
Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vre% |
Source: wscript.exe, 00000001.00000002.881152946.000001FE424AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vre0 |
Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vre563209-4053062332-100 |
Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vre783C6-CB41-11D1-8B02-00600806D9B6 |
Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vre7E9B0-70EF-11D1-B75A-00A0C90564FE |
Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreE |
Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreM |
Source: wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreM8 |
Source: wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreMH |
Source: wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinows |
Source: wscript.exe, 0000000A.00000002.880775140.00000239F8B9C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinowsiniF |
Source: wscript.exe, 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinowsiniG |
Source: wscript.exe, 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinowsu |
Source: wscript.exe, 0000000C.00000002.881056298.00000171E0430000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreMicrosoft |
Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreS~1 |
Source: wscript.exe, 00000001.00000002.881152946.000001FE424AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreWOW64 |
Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreY |
Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098VreZ |
Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vrea |
Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.880111499.0000026BB17E2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vredesk |
Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vree |
Source: wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vref: |
Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vrei |
Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vreosoft |
Source: wscript.exe, 00000001.00000002.880864667.000001FE4244C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vreosoft.xmldom |
Source: wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vrep |
Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://travcharles.duia.ro:5098Vrer |
Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org/ |
Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org/telPROCESSOR_LEVEL=6PROCESSOR_RC |
Source: wscript.exe, 00000010.00000002.884207305.00000244AFE70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.457112240.00000244AF413000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/ |
Source: wscript.exe, 00000000.00000003.354426581.000001C6DCBAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.354234861.000001C6DCBAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.881556438.000001C6DCBAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.458352994.00000244AF37E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.881936001.00000244AF37E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Ag |
Source: wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre |
Source: wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre# |
Source: wscript.exe, 00000005.00000002.884039179.000001B3A0690000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre-z |
Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre0 |
Source: wscript.exe, 00000010.00000002.882947687.00000244AF47E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre0& |
Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre2 |
Source: wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre5 |
Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre5( |
Source: wscript.exe, 00000005.00000002.884584250.000001B3A1169000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre5BP |
Source: wscript.exe, 00000009.00000002.883203781.0000011D6E515000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre798AD7C45B15A |
Source: wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre7DQpmb3Ig |
Source: wscript.exe, 00000009.00000002.881854049.0000011D6D8E9000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vre?Lw |
Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreB |
Source: wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreICAgICAgICAgICAgIC |
Source: wscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreJ |
Source: wscript.exe, 00000005.00000002.883505845.000001B3A05C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.881803714.0000011D6D8B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883452838.00000244AF4E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.879910035.00000244AD532000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreM |
Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreMcroWinows |
Source: wscript.exe, 00000010.00000002.882947687.00000244AF47E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreMcroWinows1 |
Source: wscript.exe, 00000009.00000002.881803714.0000011D6D8B2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreMcroWinowsC |
Source: wscript.exe, 00000005.00000002.884584250.000001B3A1169000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreT |
Source: wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreW&&1 |
Source: wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vreba& |
Source: wscript.exe, 00000000.00000002.881896029.000001C6DCCF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VrebiBuZXcgQWN0aXZlWE |
Source: wscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/VreenP |
Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vrem |
Source: wscript.exe, 00000005.00000003.814806136.000001B3A1155000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.814853193.000001B3A1161000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.814903129.000001B3A1167000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vreo |
Source: wscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vres |
Source: wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://zeegod.duckdns.org:9003/Vreuc3BsaXQo |
Source: wscript.exe, 00000009.00000002.882911583.0000011D6E4C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.884292781.00000244B0070000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
Source: 00000009.00000002.880440429.0000011D6BAC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000010.00000002.882089368.00000244AF3F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000000.00000002.881750287.000001C6DCC58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000005.00000002.882946701.000001B3A0557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29 |
Source: 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000010.00000002.880524674.00000244AD5E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000005.00000003.815386378.000001B39E7A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000009.00000002.880465658.0000011D6BAE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000005.00000002.881460459.000001B39E783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29 |
Source: 00000010.00000002.880727385.00000244AD604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000000.00000002.881896029.000001C6DCCF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000009.00000002.881676533.0000011D6D82C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000000.00000002.881056008.000001C6DADBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000005.00000003.390360933.000001B3A054F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29 |
Source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29 |
Source: 00000005.00000002.881618761.000001B39E7A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000000.00000003.353378984.000001C6DCC2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000005.00000003.815331689.000001B3A0557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000010.00000003.457112240.00000244AF413000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: 00000000.00000002.880778085.000001C6DAD96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: Process Memory Space: wscript.exe PID: 3908, type: MEMORYSTR | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: Process Memory Space: wscript.exe PID: 6860, type: MEMORYSTR | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: Process Memory Space: wscript.exe PID: 5768, type: MEMORYSTR | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: Process Memory Space: wscript.exe PID: 792, type: MEMORYSTR | Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 49781 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49788 |
Source: unknown | Network traffic detected: HTTP traffic on port 49788 -> 9003 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49781 |
Source: unknown | Network traffic detected: HTTP traffic on port 9003 -> 49772 |
Source: wscript.exe, 0000000C.00000002.881090970.00000171E043A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}2 |
Source: wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I- |
Source: wscript.exe, 00000010.00000002.883452838.00000244AF4E2000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW0 |
Source: wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\40 |
Source: wscript.exe, 00000005.00000002.884426925.000001B3A1141000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAWT |
Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.815466211.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883870439.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.884426925.000001B3A1141000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.883006547.0000011D6E4DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: wscript.exe, 00000005.00000003.815288447.000001B3A051F000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: od_VMware_SATA_C5&280b647&0&000000#{ |
Source: wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\fb8b} |
Source: wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x0 |
Source: wscript.exe, 00000005.00000003.815466211.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883870439.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct |
Source: C:\Windows\System32\wscript.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct |
Source: Yara match | File source: 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.881711321.00000239FAA0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.881056542.000001C97BC3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.880769506.00000171E040E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.881396869.00000171E222F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.882667131.00000280CABE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.880198899.000001C979E13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.881826906.000001FE441D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 5516, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 6652, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 4448, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 2312, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 5512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 6408, type: MEMORYSTR |
Source: Yara match | File source: 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.881711321.00000239FAA0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.881056542.000001C97BC3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.880769506.00000171E040E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.881396869.00000171E222F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.882667131.00000280CABE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.880198899.000001C979E13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.881826906.000001FE441D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 5516, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 6652, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 4448, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 2312, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 5512, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: wscript.exe PID: 6408, type: MEMORYSTR |