Source: unknown |
TCP traffic detected without corresponding DNS query: 104.46.162.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 13.85.23.86 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGMmbv7EGIjDxSar4WO0-S0uWb0H8SKABZOs27vCm-xkEEvvoD9N2_qL9rmpaRiHRZ6EwWKo7rWEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-16; NID=513=cpCzoT4qGm5zcDuRSID2CsJh9sn8-nIkAz4W0ws9JIER7KDCGqWTxBppdZJMx90aOWfJxw02-HBSW14uDLO_2lSNkE06jKq-tkvRczYaYFm5RFVvXtJme7rvfHrLpEL3KBqd_PemKwzYtDwTsSurlvwCk6D_8U2BDyQ4QrL-wpY |
Source: global traffic |
HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGMmbv7EGIjA1M1nVZLAVtFVS1FJZIi_5LMmPbtWOrECDQwQLeRMtMGkTzIEOrMpTy5uPF0ejBXoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-16; NID=513=c12tpn7gsBXXz3DaF0SddPAgdYmgAwRg8WdeBlI7mc6aJYHgD3SF_MB1X2Rl4jEwLUmtfFyd7EEttNb14p8SlqpbKTt3_zaX_jQ2_Z7Aw8C3NC6ZCDEhIHPKzRUb2D45KxVdMRI_7Hgzh1ed1LxuOAx_DCxSQEWn6m0hPUXutzA |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7AspT72LxHflFeT&MD=dSG8PB7Y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /raw/nDU16UcU HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pastebin.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br |
Source: global traffic |
HTTP traffic detected: GET /ap/xwapri.txt HTTP/1.1Host: joccupationalscience.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7AspT72LxHflFeT&MD=dSG8PB7Y HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com |
Source: global traffic |
HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br |
Source: global traffic |
HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br |
Source: global traffic |
HTTP traffic detected: GET /ap/xwapri.txt HTTP/1.1Host: joccupationalscience.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /ap/xwapri.txt HTTP/1.1Host: joccupationalscience.orgConnection: Keep-Alive |
Source: wscript.exe, 00000016.00000003.2505410033.000001E29ADD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2291202340.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000002.2507631660.000001E29AD7A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290666841.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290069829.000001E29AD48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2501987705.000001E29CA2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2505938557.000001E29AD48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2501863905.000001E29CA1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2499227738.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2505913240.000001E29CA30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2291095711.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290431700.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2506698103.000001E29CA05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290765627.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290851235.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290093036.000001E29CA10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2373585434.0000018712219000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000002.2571809237.00000187122A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2548495769.0000018712249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000002.2571210390.000001871224B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2374020200.000001871404E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx |
Source: wscript.exe, 0000000A.00000002.2028065560.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2024998896.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2025313906.00000000007A9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx; |
Source: wscript.exe, 00000017.00000002.2571809237.00000187122A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2550795701.00000187122A6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxF |
Source: wscript.exe, 0000000A.00000003.1777539382.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2024699049.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777587034.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2027187681.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2023077103.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777411735.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777366203.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2023871779.0000000004BFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777482646.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777634053.0000000004C01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777255061.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2023818531.0000000004BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1777330742.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2291305597.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2503299883.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290989072.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2501987705.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2291202340.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290666841.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2499227738.000001E29CA2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2505913240.000001E29CA30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxd |
Source: wscript.exe, 00000016.00000003.2291202340.000001E29CA0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000016.00000003.2290572975.000001E29CA04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2374020200.000001871402A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2373724589.0000018714024000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxlp_G |
Source: powershell.exe, 00000011.00000002.2201092770.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B858000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B858000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5 |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n |
Source: qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/ |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B858000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567 |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B858000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg |
Source: svchost.exe, 00000005.00000003.2351898406.000002132B842000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0/go |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B88D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe |
Source: qmgr.db.5.dr |
String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20 |
Source: powershell.exe, 00000011.00000002.2224817157.0000000008343000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://joccupationalscience.org |
Source: powershell.exe, 00000011.00000002.2201518867.00000000057CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000001F.00000002.2791902468.0000021940833000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000000F.00000002.2750034838.0000000005551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2201518867.0000000004761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2647633404.000001E400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2791902468.0000021940623000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000001F.00000002.2791902468.0000021940833000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000001C.00000002.2647633404.000001E400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2791902468.0000021940623000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000F.00000002.2750034838.0000000005551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2201518867.0000000004761000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000011.00000002.2201518867.00000000057CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000011.00000002.2201518867.00000000057CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000011.00000002.2201518867.00000000057CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B902000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6 |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B95A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/Prod.C: |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B902000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2 |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B8E3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1735910747.000002132B947000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1735910747.000002132B934000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1735910747.000002132B902000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C: |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B902000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96 |
Source: powershell.exe, 0000001F.00000002.2791902468.0000021940833000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000011.00000002.2224817157.00000000081C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://joccupationalscience.org |
Source: powershell.exe, 00000011.00000002.2224817157.00000000081C1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://joccupationalscience.org/ap/xwapri.txt |
Source: wscript.exe, 0000000A.00000003.2025506514.00000000055CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2028988937.00000000055CD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: powershell.exe, 00000011.00000002.2201518867.00000000057CE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B902000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe |
Source: svchost.exe, 00000005.00000003.1735910747.000002132B896000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C: |
Source: wscript.exe, 0000000A.00000003.2025506514.00000000055CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2028988937.00000000055CD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/ |
Source: wscript.exe, 0000000A.00000003.2027187681.0000000004C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2028628094.0000000004C22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2024778383.0000000004C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2023871779.0000000004C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2023077103.0000000004C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2027295078.0000000004C20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2027328563.0000000004C22000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU |
Source: wscript.exe, 00000017.00000003.2554538404.0000018714475000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2546496727.000001871403C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000002.2579041932.0000018714020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000017.00000003.2544413411.00000187142EF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcU |
Source: wscript.exe, 0000000A.00000003.2024998896.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2025313906.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2028065560.00000000007C7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcU(H. |
Source: wscript.exe, 0000000A.00000003.2024998896.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2025313906.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2028065560.00000000007C7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcU2H8 |
Source: wscript.exe, 00000017.00000003.2544413411.00000187142EF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcUC: |
Source: wscript.exe, 00000017.00000003.2544413411.00000187142EF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcUicLMEMH |
Source: wscript.exe, 00000016.00000002.2508053940.000001E29CCE0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcUj |
Source: wscript.exe, 00000017.00000003.2544413411.000001871432A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/nDU16UcUy1 |
Source: powershell.exe, 00000011.00000002.2221602796.0000000006F7D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.c |
Source: powershell.exe, 00000011.00000002.2201518867.00000000048B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2647633404.000001E400223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2791902468.0000021940833000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br |
Source: powershell.exe, 0000001F.00000002.2740908771.000002193E61F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49765 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49764 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49678 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49760 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49760 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49764 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49769 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49753 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49755 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49755 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49754 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49753 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49752 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49767 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49765 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49752 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49754 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49769 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49767 |
Source: 32.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 17.2.powershell.exe.8369ff4.1.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 17.2.powershell.exe.8369ff4.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000020.00000002.2634046065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000011.00000002.2224817157.000000000835E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 8032, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 6424, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7956, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 4008, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |