• caglararli@hotmail.com
  • 05386281520

Suspect of persistent memory infection (BEM, Powershell)

Suspect of persistent memory infection (BEM, Powershell)

Hello, we notice some strange behaviour on a customer that was involved in a BEM attack
No infection found on the endpoint (protected with Webroot) but after investigation we notice obfuscated REG entries:

We was able to decrypt some portions discovering some powersploit code but we would like to know more about it
For security, we pulled off the HD and made a...

Suspect of persistent memory infection (BEM, Powershell)