Source: 11.2.RegSvcs.exe.400000.0.unpack |
String decryptor: xwormay8450.duckdns.org |
Source: 11.2.RegSvcs.exe.400000.0.unpack |
String decryptor: 8450 |
Source: 11.2.RegSvcs.exe.400000.0.unpack |
String decryptor: <123456789> |
Source: 11.2.RegSvcs.exe.400000.0.unpack |
String decryptor: <Xwormmm> |
Source: 11.2.RegSvcs.exe.400000.0.unpack |
String decryptor: USB.exe |
Source: wscript.exe, 00000000.00000003.2314117552.000001EA10470000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2308080003.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2313691853.000001EA10442000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315728966.000001EA10440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056061781.000001EA10450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056339662.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2313719726.000001EA0E63F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2313505324.000001EA0E6F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315745147.000001EA10446000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056132285.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056094521.000001EA0E669000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2313761482.000001EA0E65B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2314174582.000001EA0E669000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056263648.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312690781.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056226162.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315425220.000001EA0E6F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056039902.000001EA0E65B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056380505.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056301621.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2314734978.000001EA10445000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx |
Source: wscript.exe, 00000000.00000003.2056432592.000001EA1044F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056418438.000001EA1044B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056196365.000001EA10445000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx0 |
Source: wscript.exe, 00000000.00000002.2315405942.000001EA0E68E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2313245780.000001EA0E68C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx4 |
Source: wscript.exe, 00000000.00000003.2314117552.000001EA10470000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2308080003.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056339662.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056132285.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056263648.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312690781.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056226162.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056380505.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056301621.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxd |
Source: powershell.exe, 00000005.00000002.3140393959.000001FD4C510000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoftF |
Source: powershell.exe, 00000007.00000002.2914568318.0000017BBAA7B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000007.00000002.2563131068.0000017BAAC33000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000005.00000002.3101307570.000001FD3437C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2563131068.0000017BAAA11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000007.00000002.2563131068.0000017BB0EFC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://uploaddeimagens.com.br |
Source: powershell.exe, 00000007.00000002.2563131068.0000017BAAC33000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000007.00000002.2562563265.0000017BA897F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000005.00000002.3101307570.000001FD34337000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000005.00000002.3101307570.000001FD3434A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2563131068.0000017BAAA11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000007.00000002.2914568318.0000017BBAA7B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000007.00000002.2914568318.0000017BBAA7B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000007.00000002.2914568318.0000017BBAA7B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000007.00000002.2563131068.0000017BAAC33000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: wscript.exe, 00000000.00000002.2315993674.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312950211.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.comMicrosoft |
Source: powershell.exe, 00000007.00000002.2914568318.0000017BBAA7B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: wscript.exe, 00000000.00000003.2056301621.000001EA1046E000.00000004.00000020.00020000.00000000.sdmp, I7336446-receipt.vbs |
String found in binary or memory: https://pastapohyalbin.com/raw/8RAqVdhv |
Source: wscript.exe, 00000000.00000002.2315993674.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312950211.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/ |
Source: wscript.exe, 00000000.00000002.2315993674.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312950211.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/l |
Source: wscript.exe, 00000000.00000003.2312619209.000001EA1045E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315993674.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315728966.000001EA10440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315814040.000001EA10770000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312950211.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315745147.000001EA1046A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2314290464.000001EA10975000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2314768115.000001EA1046A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/8RAqVdhv |
Source: wscript.exe, 00000000.00000002.2315993674.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312950211.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/8RAqVdhvKos |
Source: wscript.exe, 00000000.00000002.2315993674.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2312950211.000001EA107F4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/8RAqVdhvl |
Source: wscript.exe, 00000000.00000003.2313245780.000001EA0E6E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2315425220.000001EA0E6E1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/8RAqVdhvtart |
Source: powershell.exe, 00000007.00000002.2563131068.0000017BAAC33000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br |
Source: powershell.exe, 00000007.00000002.2562847549.0000017BAA330000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49709 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.3360198407.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6792, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1672, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |