The DFIR Report
"In the logs we first observed a new service being installed on the backup server. Following that we observed the service execute and spawn a process tree that included a command to use COMSVCS to output a credential dump to a file in the temp directory:"
Mar 6 at 2:45pmWeb
Show threadThe DFIR ReportMar 6
➡️ The above is from a Private Threat Brief: "Fake WinSCP Software Serves Supper and Oyster "
➡️➡️Interested in receiving more details about this report? Contact us for a demo or pricing - https://thedfirreport.com/contact/
Contact Us

PGP Key

The DFIR Report