Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 16_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
16_2_100010F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 16_2_10006580 FindFirstFileExA, |
16_2_10006580 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
22_2_0040928E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
22_2_0041C322 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
22_2_0040C388 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
22_2_004096A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
22_2_00408847 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_00407877 FindFirstFileW,FindNextFileW, |
22_2_00407877 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0044E8F9 FindFirstFileExA, |
22_2_0044E8F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
22_2_0040BB6B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
22_2_00419B86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
22_2_0040BD72 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 27_2_0040AE51 FindFirstFileW,FindNextFileW, |
27_2_0040AE51 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
28_2_00407EF8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 29_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
29_2_00407898 |
Source: powershell.exe, 00000006.00000002.2825477153.00000197C30AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mic |
Source: powershell.exe, 00000006.00000002.2825477153.00000197C30AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micft.cMicRosof |
Source: powershell.exe, 00000005.00000002.2776493030.000001825DACA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microso |
Source: powershell.exe, 00000006.00000002.2825477153.00000197C30AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microso$ |
Source: powershell.exe, 00000006.00000002.2825477153.00000197C30AC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microso$$ |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B254000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://desckvbrat.com.br |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62AB94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B254000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ftp.desckvbrat.com.br |
Source: AddInProcess32.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: powershell.exe, 0000000D.00000002.2497137064.0000021A90402000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2497137064.0000021A90011000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B65A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2955555975.000001D639BC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2616965049.00000182554D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2643079703.00000197BA9D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2214552763.00000210D1F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2214552763.00000210D1DD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C3734000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://paste.ee |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C1F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C3383000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000005.00000002.2160647803.0000018245682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2160885075.00000197AAB82000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.3050157640.00000136800AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2160647803.0000018245461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2160885075.00000197AA961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C1D51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2160647803.0000018245682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2160885075.00000197AAB82000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62A10B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://simonastolerciuc.ro |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C3383000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C1F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C3383000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C35E9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlP |
Source: AddInProcess32.exe, AddInProcess32.exe, 0000001D.00000002.2375459966.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: AddInProcess32.exe, AddInProcess32.exe, 0000001D.00000002.2375459966.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: AddInProcess32.exe, 0000001D.00000002.2375459966.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: AddInProcess32.exe, 0000001D.00000002.2375459966.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: powershell.exe, 00000005.00000002.2774841389.000001825D7C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft. |
Source: AddInProcess32.exe, 0000001D.00000002.2375459966.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: powershell.exe, 00000002.00000002.3050157640.0000013680038000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000002.00000002.3050157640.0000013680098000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2160647803.0000018245461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2160885075.00000197AA961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C1D51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C3734000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C3734000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C3734000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.3033014790.000001D641F75000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download& |
Source: powershell.exe, 00000004.00000002.2213567570.000001D6280CA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id= |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C1F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C3383000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62AB94000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.3029633737.000001D641EE0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.cos$?CL |
Source: AddInProcess32.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B65A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2955555975.000001D639BC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2616965049.00000182554D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2643079703.00000197BA9D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2214552763.00000210D1F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2214552763.00000210D1DD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2146116914.00000210C3734000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C3383000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000008.00000002.2146116914.00000210C3383000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629D73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629D73000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/9xfVr/0 |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B27D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/9xfVr/0P |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62A141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A165000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/FwIIK/0 |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B5D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/P0BOw/0 |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B5D7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/P0BOw/0P |
Source: powershell.exe, 0000000D.00000002.2247922722.0000021A80492000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62A107000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://simonastolerciuc.ro |
Source: powershell.exe, 00000002.00000002.3050157640.0000013680D5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A107000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://simonastolerciuc.ro/images/server.txt |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62A107000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://simonastolerciuc.ro/images/sp |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, AddInProcess32.exe, 0000001D.00000002.2375459966.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: AddInProcess32.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: powershell.exe, 00000004.00000002.2230575334.000001D62B2D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B62D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D629F5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62B2A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230575334.000001D62A0E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
22_2_004168FC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 27_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
27_2_0040987A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 27_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
27_2_004098E2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 28_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
28_2_00406DFC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 28_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
28_2_00406E9F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 29_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
29_2_004068B5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 29_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
29_2_004072B5 |
Source: 22.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 19.2.powershell.exe.1f1f6e4a0f0.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 19.2.powershell.exe.1f1f6e4a0f0.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.powershell.exe.1f1f6e4a0f0.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 22.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 25.2.powershell.exe.165105a9888.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 25.2.powershell.exe.165105a9888.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 25.2.powershell.exe.165105a9888.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.21a905a9530.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.21a905a9530.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 13.2.powershell.exe.21a905a9530.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 25.2.powershell.exe.165105a9888.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 25.2.powershell.exe.165105a9888.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 19.2.powershell.exe.1f1f6e4a0f0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 19.2.powershell.exe.1f1f6e4a0f0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.21a905a9530.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.21a905a9530.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000016.00000002.2284090504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000016.00000002.2284090504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000016.00000002.2284090504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000D.00000002.2497137064.0000021A90011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000000D.00000002.2497137064.0000021A90402000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000019.00000002.2726582215.0000016510402000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000013.00000002.2594444392.000001F1F6B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 5500, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |