String found in binary or memory: /s tatuses/up date.xmlU String found in binary or memory: ure.global /c acert/root -r3.crt06 String found in binary or memory: ure.global /c acert/gsts acasha384g 4.crt0
String found in binary or memory: ure.global /c acert/gsgc cr45evcode signca2020. String found in binary or memory: ure.global /c acert/code signingroo tr45.crt0A String found in binary or memory: emas.xmlso ap.org/soa p/envelope / String found in binary or memory: ository.ce /l3. String found in binary or memory: p2.globals ign.com/ro otr606 String found in binary or memory: p2.globals ign.com/ro otr306 String found in binary or memory: p.globalsi gn.com/roo tr30 String found in binary or memory: p.globalsi gn.com/roo tr103 String found in binary or memory: p.globalsi gn.com/gsg ccr45evcod esignca202 00U String found in binary or memory: p.globalsi gn.com/cod esigningro otr450F String found in binary or memory: p.globalsi gn.com/ca/ gstsacasha 384g40C String found in binary or memory: p.comodoca. String found in binary or memory: p.certum.p l0. globalsig n.com/gsgc cr45evcode signca2020. globalsig n.com/code signingroo tr45.crl0U globalsig n.com/ca/g stsacasha3 84g4.crl0 com/COMODO RSACertifi cationAuth ority.crl0 q bit.ly/v3 /shorten?l ogin=%s&ap iKey=%s&ur i=%s&forma t=xml String found in binary or memory: x.googleap is.com/aja x/services /language/ detect?v=1. com/user/b artelsmedi agmbhopenS VW equals (You tube)
String found in binary or memory: w.youtube. com/phras eexpressop en equals (Fa cebook) String found in binary or memory: w.facebook. Source: C:\Users\u ser\AppDat a\Local\Te mp\is-DT6B 1.tmp\Phra seExpressS etup.tmpĬode function: 3_2_005EA2 D0 FindFir stFileW,Ge tLastError ,Ĭode function: 3_2_0040CB FC FindFir stFileW,Fi ndClose,Ĭode function: 3_2_006424 84 FindFir stFileW,Se tFileAttri butesW,Fin dNextFileW ,FindClose ,Ĭode function: 3_2_0040C6 30 GetModu leHandleW, GetProcAdd ress,FindF irstFileW, FindClose, lstrlenW,l strlenW,įound strings which match to known social media urls exeĬode function: 0_2_0040B2 68 FindFir stFileW,Fi ndClose,Ĭode function: 0_2_0040AC 9C GetModu leHandleW, GetProcAdd ress,FindF irstFileW, FindClose, lstrlenW,l strlenW, Source: C:\Users\u ser\Deskto p\PhraseEx pressSetup.
Phraseexpress corrupt pxp files pro#
tmp, Paren tProcessId : 5552, Pr ocessComma ndLine: 'C :\Windows\ system32\n etsh' advf irewall fi rewall add rule name ='PhraseEx press' dir =in action =allow pro gram='C:\P rogram Fil es (x86)\P hraseExpre ss\PhraseE xpress.exe ' enable=y es, Proces sId: 6124Ĭontains functionality to enumerate / list files inside a directory exe, Origi nalFileNam e: C:\Wind ows\SysWOW 64\netsh.e xe, Parent CommandLin e: 'C:\Use rs\user\Ap pData\Loca l\Temp\is- DT6B1.tmp\ PhraseExpr essSetup.t mp' /SL5=' $D0256,326 84378,1115 136,C:\Use rs\user\De sktop\Phra seExpressS etup.exe', ParentIm age: C:\Us ers\user\A ppData\Loc al\Temp\is -DT6B1.tmp \PhraseExp ressSetup. Sigma detected: Netsh Port or Application AllowedĪuthor: Markus Neis, Sander Wiebing: Data: Comm and: 'C:\W indows\sys tem32\nets h' advfire wall firew all add ru le name='P hraseExpre ss' dir=in action=al low progra m='C:\Prog ram Files (x86)\Phra seExpress\ PhraseExpr ess.exe' e nable=yes, CommandLi ne: 'C:\Wi ndows\syst em32\netsh ' advfirew all firewa ll add rul e name='Ph raseExpres s' dir=in action=all ow program ='C:\Progr am Files ( x86)\Phras eExpress\P hraseExpre ss.exe' en able=yes, CommandLin e|base64of fset|conta ins: ijY, Image: C:\ Windows\Sy sWOW64\net sh.exe, Ne wProcessNa me: C:\Win dows\SysWO W64\netsh.
0 kommentar(er)
