Source: |
Binary string: \??\C:\Windows\System.Core.pdb8 source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000003.00000002.2209696048.000001C44DE9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\Z:\syscalls\amsi64_3652.amsi.csve.pdby source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb_ source: powershell.exe, 00000003.00000002.2209696048.000001C44DE9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Core.pdb[ source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: .pdbpdblib.pdbt source: powershell.exe, 00000006.00000002.2332491480.00000236728E5000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000003.00000002.2205606590.000001C44DDC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.pdb0 source: powershell.exe, 00000003.00000002.2209696048.000001C44DE9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000003.00000002.2207112935.000001C44DE35000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb/ source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.2336401057.0000023672CA8000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 00000003.00000002.2207112935.000001C44DE35000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2205606590.000001C44DDC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2191986716.0000023658A7B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000006.00000002.2336728757.0000023672D04000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000003.00000002.2209696048.000001C44DE9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2332491480.00000236728E5000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.2336728757.0000023672CCA000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: lib.pdby source: powershell.exe, 00000003.00000002.2207112935.000001C44DE35000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbk source: powershell.exe, 00000006.00000002.2336728757.0000023672D04000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2191986716.0000023658A7B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.pdbv source: powershell.exe, 00000003.00000002.2211968494.000001C44DF02000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 00000003.00000002.2209696048.000001C44DE9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb. source: powershell.exe, 00000006.00000002.2336728757.0000023672CCA000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb$ source: powershell.exe, 00000003.00000002.2209696048.000001C44DE9B000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324007v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: global traffic |
HTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net |
Source: powershell.exe, 00000003.00000002.2149986958.000001C436031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B05D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api-env.dropbox-dns.com |
Source: powershell.exe, 00000003.00000002.2149986958.000001C436031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B05D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.dropboxapi.com |
Source: powershell.exe, 00000003.00000002.2149986958.000001C43646C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B1D0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://content.dropboxapi.com |
Source: powershell.exe, 00000003.00000002.2198466333.000001C44DB9A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: powershell.exe, 00000003.00000002.2198466333.000001C44DB9A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2 |
Source: svchost.exe, 0000000A.00000002.3341352400.000001869E200000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.ver) |
Source: powershell.exe, 00000003.00000002.2149986958.000001C43646C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B1D0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://edge-block-api-env.dropbox-dns.com |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5 |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: qmgr.db.10.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: qmgr.db.10.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000006.00000002.2197879144.000002365B9DE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://go.micros |
Source: powershell.exe, 00000003.00000002.2186000315.000001C4459CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2323233329.000002366A7DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000006.00000002.2197879144.000002365A99A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.2149986958.000001C435B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365AD22000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000003.00000002.2149986958.000001C435961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365A776000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.2149986958.000001C435B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365AD22000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000006.00000002.2197879144.000002365A99A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.2203452588.000001C44DD98000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft. |
Source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.S |
Source: powershell.exe, 00000006.00000002.2336728757.0000023672D58000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.StorageReliabilityCounter.cdxml |
Source: powershell.exe, 00000003.00000002.2149986958.000001C435961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365A776000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.2197879144.000002365AD22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2336728757.0000023672D04000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: powershell.exe, 00000003.00000002.2149986958.000001C4375F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2149986958.000001C436AAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2149986958.000001C4375CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365C381000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX |
Source: powershell.exe, 00000003.00000002.2149986958.000001C435B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365AD22000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.dropboxapi.com |
Source: powershell.exe, 00000006.00000002.2197879144.000002365B084000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2191986716.0000023658A7B000.00000004.00000020.00020000.00000000.sdmp, 11111.lnk |
String found in binary or memory: https://api.dropboxapi.com/oauth2/token |
Source: powershell.exe, 00000003.00000002.2149986958.000001C4362F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B0AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://content.dropboxapi.com |
Source: powershell.exe, 00000006.00000002.2197879144.000002365B084000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B097000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2191986716.0000023658A7B000.00000004.00000020.00020000.00000000.sdmp, 11111.lnk |
String found in binary or memory: https://content.dropboxapi.com/2/files/download |
Source: powershell.exe, 00000006.00000002.2323233329.000002366A7DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.2323233329.000002366A7DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.2323233329.000002366A7DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: qmgr.db.10.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod1C: |
Source: svchost.exe, 0000000A.00000003.2204818828.000001869E0C0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C: |
Source: powershell.exe, 00000006.00000002.2197879144.000002365A99A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.2149986958.000001C43796E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2149986958.000001C436AAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B6A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365B9DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2197879144.000002365C381000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.2186000315.000001C4459CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2323233329.000002366A7DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49714 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: amsi64_3916.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi64_3652.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3916, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 3652, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: unknown |
Process created: Commandline size = 3919 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 3375 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 3919 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 3375 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 3375 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 3919 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: Commandline size = 3375 |
|