Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
22_2_0040928E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
22_2_0041C322 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
22_2_0040C388 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
22_2_004096A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
22_2_00408847 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_00407877 FindFirstFileW,FindNextFileW, |
22_2_00407877 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0044E8F9 FindFirstFileExA, |
22_2_0044E8F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
22_2_0040BB6B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
22_2_00419B86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 22_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
22_2_0040BD72 |
Source: powershell.exe, 00000004.00000002.2365621636.000001D7328F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73305A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://desckvbrat.com.br |
Source: powershell.exe, 00000004.00000002.2365621636.000001D7328F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73305A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ftp.desckvbrat.com.br |
Source: AddInProcess32.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: powershell.exe, 0000000D.00000002.2573017500.0000020B6F6D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: powershell.exe, 00000004.00000002.3035288424.000001D741923000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D7333B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2703900892.000001D213CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2567041644.000002AE10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166812.000001A7057A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2326895569.000001A713E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2326895569.000001A713F77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://paste.ee |
Source: powershell.exe, 00000008.00000002.2259166812.000001A70562D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000005.00000002.2274904519.000001D203E72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2268735686.000002AE00222000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.3142748199.000002940A3ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D7318B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2274904519.000001D203C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2268735686.000002AE00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166812.000001A703DC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2274904519.000001D203E72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2268735686.000002AE00222000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731E6B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://simonastolerciuc.ro |
Source: powershell.exe, 00000008.00000002.2259166812.000001A705293000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000008.00000002.2259166812.000001A70562D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000006.00000002.2806064985.000002AE79900000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000002.00000002.3142748199.000002940A3A2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000002.00000002.3142748199.000002940A3C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D7318B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2274904519.000001D203C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2268735686.000002AE00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166812.000001A703DC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000008.00000002.2326895569.000001A713F77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.2326895569.000001A713F77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.2326895569.000001A713F77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731EDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D7318B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731AD3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2345301135.000001D72FD44000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2339405962.000001D72FBE4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3113735433.000001D749C10000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id= |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 00000008.00000002.2259166812.000001A70562D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.2365621636.000001D7328F6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000006.00000002.2789799288.000002AE7987F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ion=v4.535 |
Source: powershell.exe, 00000005.00000002.2869431264.000001D21C2E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ion=v4.5: |
Source: powershell.exe, 00000004.00000002.3035288424.000001D741923000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D7333B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2703900892.000001D213CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2567041644.000002AE10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166812.000001A7057A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2326895569.000001A713E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2326895569.000001A713F77000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000008.00000002.2259166812.000001A705293000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000008.00000002.2259166812.000001A705293000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731AD3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D732FDC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee |
Source: powershell.exe, 00000004.00000002.2365621636.000001D7328F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731AD3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D732FDC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/9xfVr/0 |
Source: powershell.exe, 00000004.00000002.2365621636.000001D732FDC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/9xfVr/0P |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731EC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731EA3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/FwIIK/0 |
Source: powershell.exe, 00000004.00000002.2365621636.000001D733335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73305A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/P0BOw/0 |
Source: powershell.exe, 00000004.00000002.2365621636.000001D733335000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/P0BOw/0P |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731E67000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://simonastolerciuc.ro |
Source: powershell.exe, 00000002.00000002.3142748199.000002940B0A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E67000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://simonastolerciuc.ro/images/server.txt |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731E67000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://simonastolerciuc.ro/images/sh |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: powershell.exe, 00000004.00000002.2365621636.000001D731CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D73338C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D733008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731ECB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731E46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2365621636.000001D731CBF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: 13.2.powershell.exe.20b6fc69a78.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.20b6fc69a78.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 13.2.powershell.exe.20b6fc69a78.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 22.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.powershell.exe.2a61f81adc8.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.powershell.exe.2a61f81adc8.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.powershell.exe.2a61f81adc8.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 22.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 22.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 25.2.powershell.exe.1425f089f00.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 25.2.powershell.exe.1425f089f00.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 25.2.powershell.exe.1425f089f00.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.20b6fc69a78.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.20b6fc69a78.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 25.2.powershell.exe.1425f089f00.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 25.2.powershell.exe.1425f089f00.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.powershell.exe.2a61f81adc8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.powershell.exe.2a61f81adc8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000D.00000002.2573017500.0000020B6F6D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.2640881917.000002A61F4F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000016.00000002.2401718078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000016.00000002.2401718078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000016.00000002.2401718078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000D.00000002.2573017500.0000020B6FAC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000019.00000002.2865279267.000001425ED61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 4040, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3700, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 3700, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7572, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 7572, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |