Think you have a false positive on this rule?

Sid 1-46969


MALWARE-CNC Win.Trojan.Autophyte dropper variant outbound connection


This event is generated when a compromised internal PC reaches out to grab mainls.cs, a powershell script that downloads additional malware.


Trojan Activity

Detailed information

Autophyte's Dropper, also known as PowerSpritz is a downloader that changes its name to something innocuous on the user system, downloads additional payload, and deletes itself when its objective is complete.

Affected systems

  • Windows 7, 8, 10

Ease of attack

False positives

Not known.

False negatives

Not known.

Corrective action

Please follow corporate mitigation practices.


  • Cisco's Talos Intelligence Group

Additional References