Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
20_2_0040928E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
20_2_0041C322 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
20_2_0040C388 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
20_2_004096A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
20_2_00408847 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_00407877 FindFirstFileW,FindNextFileW, |
20_2_00407877 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_0044E8F9 FindFirstFileExA, |
20_2_0044E8F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
20_2_0040BB6B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
20_2_00419B86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 20_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
20_2_0040BD72 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49726 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49730 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49734 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49736 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49725 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49735 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49743 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49744 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49746 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49729 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49754 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49745 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49747 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49766 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49772 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49760 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49751 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49767 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49741 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49770 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49737 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49756 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49763 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49739 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49775 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49771 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49762 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49758 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49750 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49759 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49757 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49748 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49740 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49773 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49755 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49776 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49769 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49753 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49764 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49774 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49731 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49749 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49733 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49761 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49765 -> 212.162.149.163:2404 |
Source: Network traffic |
Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49713 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49717 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49722 -> 188.114.97.3:443 |
Source: Network traffic |
Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 173.231.247.100:443 -> 192.168.2.6:49719 |
Source: Network traffic |
Suricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 173.231.247.100:443 -> 192.168.2.6:49719 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.162.149.163 |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://desckvbrat.com.br |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ftp.desckvbrat.com.br |
Source: RegAsm.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: powershell.exe, 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://gratitudeseekers.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3016225827.000001BDBFF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2756972243.000001ABF1B4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2656723724.000001C11006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://paste.ee |
Source: powershell.exe, 0000000D.00000002.2368812441.000001EB4D7FD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pastebin.com |
Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000005.00000002.2283194941.000001ABE1D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.3114097341.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDAFF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2283194941.000001ABE1AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB61A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2368812441.000001EB4D351000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2283194941.000001ABE1D02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100222000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.gratitudeseekers.com |
Source: powershell.exe, 00000008.00000002.2365489324.0000015ECE77E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.coE |
Source: powershell.exe, 00000002.00000002.3114097341.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDAFF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2283194941.000001ABE1AE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2273102577.000001C100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB61A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2368812441.000001EB4D351000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.2324128930.000001BDAE320000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id= |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB0F0F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.3083725979.000001BDC8340000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.co |
Source: powershell.exe, 00000006.00000002.2889045925.000001C1774C3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ion=v4.5 |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3016225827.000001BDBFF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2756972243.000001ABF1B4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2656723724.000001C11006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2258056949.0000015EB7B7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6219000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318228940.0000015EC6350000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000008.00000002.2258056949.0000015EB7674000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0142000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB04D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0502000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/Ga0HE/0 |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB161F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0142000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/RdlsG/0 |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB164A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/RdlsG/0P |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/b5xuX/0 |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1932000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/b5xuX/0P |
Source: powershell.exe, 0000000D.00000002.2368812441.000001EB4D7F6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com |
Source: powershell.exe, 0000000D.00000002.2750883006.000001EB653E9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/GAC |
Source: powershell.exe, 0000000D.00000002.2368812441.000001EB4D61F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/pQQ0n3eA |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gratitudeseekers.com |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gratitudeseekers.com/wp-includes/customize/c |
Source: powershell.exe, 00000002.00000002.3114097341.0000025101D1D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3114097341.0000025100248000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3114097341.0000025100510000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB19AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gratitudeseekers.com/wp-includes/customize/css/bd.txt |
Source: powershell.exe, 00000004.00000002.2341736438.000001BDB1988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB1675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB032E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0326000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB16A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2341736438.000001BDB0440000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.powershell.exe.19971c2ad28.3.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 13.2.powershell.exe.1eb5d86a448.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 23.2.powershell.exe.23e13f69f58.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 23.2.powershell.exe.23e13f69f58.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.1eb5d86a448.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 18.2.powershell.exe.19971c2ad28.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000014.00000002.2378700702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000D.00000002.2594598048.000001EB5D6E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000012.00000002.2661640004.0000019971901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000000D.00000002.2594598048.000001EB5D360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000017.00000002.2806942257.0000023E13C40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 1600, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 6764, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 3796, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |