Source: powershell.exe, 0000000F.00000002.527605554.00000265C03F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://iujdhsndjfks.ru/ |
Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QT |
Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuH |
Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS |
Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/ |
Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000000F.00000002.508025334.00000265A80B1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000F.00000002.524619669.00000265A9BE3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: Yara match | File source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR |
Source: Yara match | File source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR |
Source: Yara match | File source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR | Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown |
Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR | Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 2620, type: MEMORYSTR | Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR | Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23 |
Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR | Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23 |
Source: Process Memory Space: powershell.exe PID: 2620, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: C:\Users\user\Desktop\main.exe | Code function: 0_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Users\user\Desktop\main.exe | Code function: 0_2_00401D95 GetProcAddress,NtCreateSection,memset, |
Source: C:\Users\user\Desktop\main.exe | Code function: 0_2_00401F78 NtMapViewOfSection, |
Source: C:\Users\user\Desktop\main.exe | Code function: 0_2_006D737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Users\user\Desktop\main.exe | Code function: 0_2_006D8521 NtQueryVirtualMemory, |
Source: Yara match | File source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR |
Source: Yara match | File source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\main.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\main.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: Yara match | File source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR |
Source: Yara match | File source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR |
Source: Yara match | File source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |