Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 21_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
21_2_100010F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
23_2_0040928E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
23_2_0041C322 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
23_2_0040C388 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
23_2_004096A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
23_2_00408847 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_00407877 FindFirstFileW,FindNextFileW, |
23_2_00407877 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
23_2_0040BB6B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
23_2_00419B86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
23_2_0040BD72 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 29_2_0040AE51 FindFirstFileW,FindNextFileW, |
29_2_0040AE51 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 30_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
30_2_00407EF8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 31_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
31_2_00407898 |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C6BA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://b2case.com |
Source: powershell.exe, 00000005.00000002.2605240365.0000028054873000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micros |
Source: powershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://desckvbrat.com.br |
Source: powershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ftp.desckvbrat.com.br |
Source: AddInProcess32.exe, 00000015.00000002.3074510288.0000000000F18000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/ |
Source: AddInProcess32.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: powershell.exe, 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: powershell.exe, 00000003.00000002.1919143366.000002203DC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2943623698.000002204C172000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2409816379.0000015C9A3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311218245.000002804C253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACDCA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC566000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C724000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://paste.ee |
Source: powershell.exe, 0000000D.00000002.1948758053.000001AB895D7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pastebin.com |
Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.1789063987.0000015C8A5A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000001.00000002.3078580117.0000015B800B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789063987.0000015C8A381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACC3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D34D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000004.00000002.1789063987.0000015C8A5A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C402000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: AddInProcess32.exe |
String found in binary or memory: http://www.ebuddy.com |
Source: AddInProcess32.exe |
String found in binary or memory: http://www.imvu.com |
Source: powershell.exe, 00000008.00000002.2115107372.000002D4EB8D9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: AddInProcess32.exe |
String found in binary or memory: http://www.nirsoft.net/ |
Source: powershell.exe, 00000001.00000002.3078580117.0000015B8005F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000001.00000002.3078580117.0000015B8007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789063987.0000015C8A381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1787528120.000002803C1E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACC3B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D34D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C6B6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://b2case.com |
Source: powershell.exe, 00000001.00000002.3078580117.0000015B80D2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C6B6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://b2case.com/class.txt |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.1891382694.000002203A54B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id= |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 00000008.00000002.1779641476.000002D4D4D6B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.1919143366.000002203D14E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: AddInProcess32.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: powershell.exe, 00000003.00000002.1919143366.000002203DC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2943623698.000002204C172000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2409816379.0000015C9A3F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311218245.000002804C253000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1778802424.0000018ACDCA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1930444646.0000018ADC566000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3686000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2013682859.000002D4E3550000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D4DC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000007.00000002.1778802424.0000018ACD883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1779641476.000002D4D49A2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D8B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DB93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DB96000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/d80GV/0 |
Source: powershell.exe, 00000003.00000002.1919143366.000002203DB93000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/d80GV/0P |
Source: powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D80B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/jm8qu/0 |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/jm8qu/08 |
Source: powershell.exe, 00000003.00000002.1919143366.000002203D835000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/jm8qu/0P |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C700000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C724000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/r322U/0 |
Source: powershell.exe, 0000000D.00000002.1948758053.000001AB893C0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com |
Source: powershell.exe, 0000000D.00000002.1948758053.000001AB893C0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/pQQ0n3eA |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe |
String found in binary or memory: https://www.google.com |
Source: AddInProcess32.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: powershell.exe, 00000003.00000002.1919143366.000002203C510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C4F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C651000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D88E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203D861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203DBEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1919143366.000002203C729000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
23_2_004168FC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 29_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
29_2_0040987A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 29_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
29_2_004098E2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 30_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
30_2_00406DFC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 30_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
30_2_00406E9F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 31_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
31_2_004068B5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 31_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
31_2_004072B5 |
Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.2.powershell.exe.1b33d0e6cd0.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.powershell.exe.1e3b1478da0.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 23.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 35.2.powershell.exe.1a8905a8228.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 13.2.powershell.exe.1ab996e87d0.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 26.2.powershell.exe.1c222be89d8.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.1ab996e87d0.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 19.2.powershell.exe.1e3b1478da0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 26.2.powershell.exe.1c222be89d8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 35.2.powershell.exe.1a8905a8228.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 40.2.powershell.exe.1b33d0e6cd0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000D.00000002.2290132644.000001AB99151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000013.00000002.2364592750.000001E3B1150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000000D.00000002.2290132644.000001AB99541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000028.00000002.2788200178.000001B33CDBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000023.00000002.2563409063.000001A890401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000017.00000002.1931941329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000001A.00000002.2531838956.000001C222A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 1800, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 1928, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |