Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 15_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
15_2_100010F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 15_2_10006580 FindFirstFileExA, |
15_2_10006580 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
20_2_0040928E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
20_2_0041C322 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
20_2_0040C388 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
20_2_004096A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
20_2_00408847 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_00407877 FindFirstFileW,FindNextFileW, |
20_2_00407877 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_0044E8F9 FindFirstFileExA, |
20_2_0044E8F9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
20_2_0040BB6B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
20_2_00419B86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
20_2_0040BD72 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 21_2_0040AE51 FindFirstFileW,FindNextFileW, |
21_2_0040AE51 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
23_2_00407EF8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
24_2_00407898 |
Source: powershell.exe, 00000006.00000002.2940383088.0000024FCCD37000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.v |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5531000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://desckvbrat.com.br |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5531000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ftp.desckvbrat.com.br |
Source: AddInProcess32.exe |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: powershell.exe, 0000000D.00000002.2474230885.000001C41E49E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: powershell.exe, 00000004.00000002.2537350188.0000012FD4FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2802400106.0000015045F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2830818460.0000024FC49B2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC69EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://paste.ee |
Source: powershell.exe, 00000006.00000002.2304620541.0000024FB4B62000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC550A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5506000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://sbelegi.com.br |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5506000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://sbelegi.com.br/wp-content/plugins/cognac/H# |
Source: powershell.exe, 00000002.00000002.2917323409.0000021E2491B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5506000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://sbelegi.com.br/wp-content/plugins/cognac/smsinc.txt |
Source: powershell.exe, 00000005.00000002.2300798084.0000015036132000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2304620541.0000024FB4B62000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.2917323409.0000021E23C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC4F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2300798084.0000015035F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2304620541.0000024FB4941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2238540317.00000260B1B7A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2300798084.0000015036132000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2304620541.0000024FB4B62000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000006.00000002.2304620541.0000024FB4B62000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000018.00000002.2392226632.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000018.00000002.2392226632.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: AddInProcess32.exe, 00000018.00000002.2392226632.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: AddInProcess32.exe, 00000018.00000002.2392226632.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: AddInProcess32.exe, 00000018.00000002.2392226632.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: powershell.exe, 00000002.00000002.2917323409.0000021E23C0F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000002.00000002.2917323409.0000021E23C60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC4F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2300798084.0000015035F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2304620541.0000024FB4941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2238540317.00000260B1BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2238540317.00000260B1BBD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://analytics.paste.ee; |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdnjs.cloudflare.com; |
Source: powershell.exe, 00000006.00000002.2830818460.0000024FC49B2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.2830818460.0000024FC49B2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.2830818460.0000024FC49B2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC556D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id= |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.googleapis.com |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fonts.gstatic.com; |
Source: powershell.exe, 00000006.00000002.2304620541.0000024FB4B62000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5F83000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: AddInProcess32.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: powershell.exe, 00000004.00000002.2537350188.0000012FD4FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2802400106.0000015045F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2830818460.0000024FC49B2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC667D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC69D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5172000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5F83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC667D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5172000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/2A2GE/0 |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC667D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/2A2GE/0P |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC69D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/oWGnC/0 |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC69D9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/oWGnC/0P |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC5559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5531000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://paste.ee/d/qYZ64/0 |
Source: powershell.exe, 0000000D.00000002.2326336524.000001C40E6B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2326336524.000001C40E4A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com |
Source: powershell.exe, 0000000D.00000002.2326336524.000001C40E4A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/pQQ0n3eA |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://secure.gravatar.com |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://themes.googleusercontent.com |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, AddInProcess32.exe, 00000018.00000002.2392226632.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: AddInProcess32.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54E0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com; |
Source: powershell.exe, 00000004.00000002.2292021482.0000012FC54E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC5341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC6A31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC54A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC66D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC535F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2292021482.0000012FC555F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 20_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
20_2_004168FC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 21_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
21_2_0040987A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 21_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
21_2_004098E2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
23_2_00406DFC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 23_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
23_2_00406E9F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 24_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
24_2_004068B5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 24_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
24_2_004072B5 |
Source: 27.2.powershell.exe.1c7286e7ed8.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 27.2.powershell.exe.1c7286e7ed8.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 27.2.powershell.exe.1c7286e7ed8.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 18.2.powershell.exe.286cfc17920.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 18.2.powershell.exe.286cfc17920.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.powershell.exe.286cfc17920.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.1c41e7c6f90.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.1c41e7c6f90.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 13.2.powershell.exe.1c41e7c6f90.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 27.2.powershell.exe.1c7286e7ed8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 27.2.powershell.exe.1c7286e7ed8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 13.2.powershell.exe.1c41e7c6f90.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 13.2.powershell.exe.1c41e7c6f90.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 18.2.powershell.exe.286cfc17920.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 18.2.powershell.exe.286cfc17920.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000012.00000002.2608765133.00000286CFA70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000000D.00000002.2474230885.000001C41E230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000001B.00000002.2715340821.000001C7283BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000000D.00000002.2474230885.000001C41E49E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.2356908740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.2356908740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000014.00000002.2356908740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5236, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1436, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |
Source: Process Memory Space: powershell.exe PID: 1436, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7224, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: powershell.exe PID: 7224, type: MEMORYSTR |
Matched rule: Detects Invoke-Mimikatz String Author: Florian Roth |