Source: 10.2.RegSvcs.exe.400000.0.unpack |
String decryptor: xwormay8450.duckdns.org |
Source: 10.2.RegSvcs.exe.400000.0.unpack |
String decryptor: 8450 |
Source: 10.2.RegSvcs.exe.400000.0.unpack |
String decryptor: <123456789> |
Source: 10.2.RegSvcs.exe.400000.0.unpack |
String decryptor: <Xwormmm> |
Source: 10.2.RegSvcs.exe.400000.0.unpack |
String decryptor: USB.exe |
Source: wscript.exe, 00000000.00000003.2189737552.00000253B84BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1980426124.00000253B84DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2193774088.00000253B855E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981547038.00000253BA25A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981056029.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981118673.00000253BA254000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1980594469.00000253BA260000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2184504428.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189316144.00000253B855E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981199099.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981285368.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189968962.00000253BA280000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1980630321.00000253B84E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189999809.00000253B84E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183679902.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2194361721.00000253BA540000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981642824.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2188878485.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189686550.00000253B84DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981254551.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981163858.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx |
Source: wscript.exe, 00000000.00000003.2189737552.00000253B84BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2190097065.00000253B84CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2193585871.00000253B84CC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxS |
Source: wscript.exe, 00000000.00000003.1981056029.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2184504428.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981199099.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981285368.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189968962.00000253BA280000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183679902.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981642824.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2188878485.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981254551.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981163858.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981547038.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981418051.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxd |
Source: powershell.exe, 00000006.00000002.2985016131.00000248AB2BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000006.00000002.2559643191.000002489B474000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.3197203845.00000256014AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2559643191.000002489B251000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000006.00000002.2559643191.00000248A173D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://uploaddeimagens.com.br |
Source: powershell.exe, 00000006.00000002.2559643191.000002489B474000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000004.00000002.3197203845.000002560142F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000004.00000002.3197203845.000002560147E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2559643191.000002489B251000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.2985016131.00000248AB2BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.2985016131.00000248AB2BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.2985016131.00000248AB2BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000006.00000002.2559643191.000002489B474000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: wscript.exe, 00000000.00000002.2194513986.00000253BA5DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189116397.00000253BA5DB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: powershell.exe, 00000006.00000002.2985016131.00000248AB2BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: wscript.exe, 00000000.00000002.2194513986.00000253BA5DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189116397.00000253BA5DB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/ |
Source: wscript.exe, 00000000.00000002.2194473234.00000253BA5AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2184504428.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2194299974.00000253BA27B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189794648.00000253BA5A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2190242063.00000253BA6F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189829767.00000253BA5A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189295214.00000253BA5A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183679902.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2192373620.00000253BA278000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2192399281.00000253BA279000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2188812304.00000253BA26D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2184504428.00000253BA26D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2194031342.00000253BA250000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/VP3shFzM |
Source: wscript.exe, 00000000.00000002.2194473234.00000253BA5AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189794648.00000253BA5A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189829767.00000253BA5A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189295214.00000253BA5A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/VP3shFzMI |
Source: wscript.exe, 00000000.00000002.2193774088.00000253B855E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2189316144.00000253B855E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/VP3shFzMtart |
Source: wscript.exe, 00000000.00000003.1981547038.00000253BA25A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1981118673.00000253BA254000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastsubjectivamentebin.com/raw/VP3shFz |
Source: wscript.exe, 00000000.00000003.1981418051.00000253BA27E000.00000004.00000020.00020000.00000000.sdmp, S94847456-receipt.vbs |
String found in binary or memory: https://pastsubjectivamentebin.com/raw/VP3shFzM |
Source: powershell.exe, 00000006.00000002.2559643191.000002489B474000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br |
Source: powershell.exe, 00000006.00000002.2558861948.000002489919A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49716 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49714 |
Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000A.00000002.3292133576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1864, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6444, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |