Source: Yara match |
File source: 23.2.powershell.exe.20958f44b38.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.powershell.exe.20a2a7dbe00.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.powershell.exe.2078fd84ec0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 7212, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 7544, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR |
Source: powershell.exe, 00000005.00000002.2847112726.00000256B7F77000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mdHy |
Source: powershell.exe, 00000002.00000002.3002434212.000001E2ED8B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A42535000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2262307910.0000020A28534000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2353901429.000002078DA85000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2420905012.0000020956705000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: powershell.exe, 00000004.00000002.2236815480.000001D394365000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://desckvbrat.com.br |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://firebasestorage.googleapis.com |
Source: powershell.exe, 00000004.00000002.2236815480.000001D394365000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ftp.desckvbrat.com.br |
Source: powershell.exe, 00000004.00000002.2236815480.000001D3947B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2856145468.000001D3A2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2724257529.00000256AFA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2661344132.000001F552490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65B7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F573ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000C.00000002.2263158349.0000020A2A9C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FF6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020959130000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pastebin.com |
Source: powershell.exe, 00000004.00000002.2236815480.000001D3943BA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pastecodeapp.vercel.app |
Source: powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000005.00000002.2200486936.000002569FC22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.2935786151.000001E2D57DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D392C78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2200486936.000002569FA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F55B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A15D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F73A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588A6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2200486936.000002569FC22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542643000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000005.00000002.2838267967.00000256B7D72000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2444391639.0000020A42535000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000002.00000002.2935786151.000001E2D5798000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000002.00000002.2935786151.000001E2D57AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D392C78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2200486936.000002569FA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2195084850.000001F542421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F55B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A15D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A14F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078F6E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.00000209588BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.2231129642.000001D3911C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id= |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D3931F0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://firebasestorage.googleapis.com |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D3931F0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/descargas-dc4d6.appspot.com/o/envios-nuevos.txt?alt=medi |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39475B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://firebasestorage.googleh |
Source: powershell.exe, 00000008.00000002.2178810552.0000020F55D32000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.2236815480.000001D393C6B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.2856145468.000001D3A2CD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2724257529.00000256AFA70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2661344132.000001F552490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65B7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2178810552.0000020F573ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2276224624.0000020F65CB4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000008.00000002.2178810552.0000020F56FCF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2263158349.0000020A2A9C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.000002095912A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020958FB2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com |
Source: powershell.exe, 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2442574542.0000020958FB2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/pQQ0n3eA |
Source: powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vX |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vXB |
Source: powershell.exe, 00000004.00000002.2236815480.000001D392E83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39322F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/raw |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39323F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a3-9326-7b46-b740-ef110ecdb453/rawP |
Source: powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D3946D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39306F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2236815480.000001D39440D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/raw |
Source: powershell.exe, 00000004.00000002.2236815480.000001D3946E3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app/pastes/019220a5-2811-7ab8-829c-a7f4350452e0/rawP |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/raw |
Source: powershell.exe, 00000004.00000002.2236815480.000001D39438F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastecodeapp.vercel.app/pastes/01922156-0a1a-798a-ba18-d0ce12473978/rawP |
Source: Yara match |
File source: 23.2.powershell.exe.20958f44b38.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 23.2.powershell.exe.20958f44b38.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.powershell.exe.20a2a7dbe00.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.powershell.exe.2078fd84ec0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 23.2.powershell.exe.20958f407d8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.powershell.exe.20a2a7d7a88.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.powershell.exe.2078fd80b60.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 12.2.powershell.exe.20a2a7dbe00.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.powershell.exe.2078fd84ec0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000017.00000002.2442574542.0000020959177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000002.3000375928.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2263158349.0000020A2AA0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2358188672.000002078FFB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000002.2358188672.000002078FC86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.2442574542.0000020958E27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000002.2386362117.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000C.00000002.2263158349.0000020A2A709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 7212, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 7544, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR |
Source: Process Memory Space: powershell.exe PID: 2748, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1088, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5792, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |