Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
N1f691bk5G.ps1

Overview

General Information

Sample name:N1f691bk5G.ps1
renamed because original name is a hash value
Original sample name:d4f4d3196d92b306f65ba4f1f90ec73403803530a58196b48db38210e3e3047d.ps1
Analysis ID:1562422
MD5:33b6c435bdbbec12ae8cba21eb6d105f
SHA1:41d43dc4ec1187e6120f26158e074e39475b0815
SHA256:d4f4d3196d92b306f65ba4f1f90ec73403803530a58196b48db38210e3e3047d
Tags:ducksex-ddnsfree-comps1user-JAMESWT_MHT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_compiler.exe (PID: 5420 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "ducksex.ddnsfree.com", "Port": "6161", "Version": "| CRACKED BY DEXTER-LY", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xcf68:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0x10238:$a2: Stub.exe
    • 0x102c8:$a2: Stub.exe
    • 0x9698:$a3: get_ActivatePong
    • 0xd180:$a4: vmware
    • 0xcff8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0xa7e8:$a6: get_SslClient
    00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xcffa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x17d6e8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x1805d0:$a2: Stub.exe
      • 0x180660:$a2: Stub.exe
      • 0x179e18:$a3: get_ActivatePong
      • 0x17d900:$a4: vmware
      • 0x17d778:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x17af68:$a6: get_SslClient
      Click to see the 8 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.powershell.exe.23cb53fb788.3.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        4.2.powershell.exe.23cb53fb788.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          4.2.powershell.exe.23cb53fb788.3.raw.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0xd168:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0x10038:$a2: Stub.exe
          • 0x100c8:$a2: Stub.exe
          • 0x9898:$a3: get_ActivatePong
          • 0xd380:$a4: vmware
          • 0xd1f8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0xa9e8:$a6: get_SslClient
          4.2.powershell.exe.23cb53fb788.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0xd1fa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          4.2.powershell.exe.23cb485bc30.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 18 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: AspNetCompiler Execution
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7288, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 5420, ProcessName: aspnet_compiler.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", ProcessId: 7288, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1", ProcessId: 7288, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000007.00000002.3746883357.0000000002F11000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "ducksex.ddnsfree.com", "Port": "6161", "Version": "| CRACKED BY DEXTER-LY", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}
            Multi AV Scanner detection for submitted file
            Source: N1f691bk5G.ps1ReversingLabs: Detection: 21%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: ducksex.ddnsfree.com
            Yara detected Generic Downloader
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPE
            Source: global trafficTCP traffic: 192.168.2.10:49715 -> 178.208.169.197:6161
            Source: Joe Sandbox ViewASN Name: PHMGMT-AS1US PHMGMT-AS1US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: ducksex.ddnsfree.com
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB583A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316089103.0000023CB36E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB623A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost:3030/Service.asmx
            Source: powershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB4389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB3761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB4389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB3761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB4389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5420, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: Process Memory Space: aspnet_compiler.exe PID: 5420, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: Process Memory Space: aspnet_compiler.exe PID: 5420, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 4.2.powershell.exe.23cb36e0000.0.raw.unpack, c49e11983285d4ab2e059050de6df5a41.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
            Source: 4.2.powershell.exe.23cb68fc0b8.6.raw.unpack, c49e11983285d4ab2e059050de6df5a41.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, jlsfKWsjaVv.csBase64 encoded string: 'N/H6Hlh9UzfrGgXXsKqTw7QaUGfZt9XtgiIL8EVzKcrzvNXdm2x6RZQh27SwPNYKQbRJGpDXCu/w0m0HaAdjnA==', 'J6Qn6itDdK9MeAKgTZn5oDjFgXZDNlA/AFE+yka5sFvAB4XOuS4camufsW+YkwPxs+x4+mor32+Bk5WMVUwVBANDmytwi8Fpt2aC/J8HP50=', 'Qd5EvSl5xgznJbQ8NJp5gUiVml0QQ91MMfoPjw12zdsbEEQX5Y1fojZc9v0OY7aNQMljPlMIQp1RR/ot/L2pBmEgjrd8tKblE0sAZa0gwdY=', 'K3ZCK2Ga97LDojWxHaWAjL00KyA0T79n3tIrOieoYGDoXhduDb6tGKoNpAzXSo20HYyJVASnvy/A3Ibkpuk/dA==', 'sM1ePJDTnlj3DtRAz7+dWOd5NGp5JQWsyrDZoPOlJQDTb6jNyWYXx3QMnyuazNtSs7TQ57FEdZieCqG12wLzhyExZMmCcwHl79x+3yuqL/o=', 'RWkUqy0UBTBfe/Bx61LSxJ1v8LNLNjalgm/38bcmSVpoQqPmkPFYFs3yvdTsSvqH0PWTJ3t9gIaHVTMEnACVgGT2n+w2RVYrPHsGFuK5KBExQaN+RjW3UQq9UwLkHAVRc3D6T7UOXRVHyKOYSXz0PEm8y9GzjNgW68ZqIY8MiidfQfKYyR8nNkItqpXiWhNKHWpFsmRqB+Hi5Z5QqUrhXlJInCVAq6M68doFKK9KE/HqBeVevYeF64syWrzi3ABGPFCp1ZoPsm1I0xgMeXGT25QoqSaNo5daI1Ss6uG8DKVlTnCEQwdKn3G3qlIkWFXjfSNhdobtUGTcZx2U4CaiQji21pmf+k+mvo1omoKWrkmwpTUt5wAoF+jlIkIlgtndE5U9HoZ79PUeo/t1jo71f4ta6oWvdOHVJJsO3UzzAJ1fOmssP5XAw18BWWfzlfYzftjFzSdR2AWduPApLtJHm1UmlFgDJKxuxIikdVhVEihlrmZFCDEi9HfjtN0btC8yt1I7BRNfGBLKx1/oS3+5sXhubH8+E9E74W50rJ8v3T2LLnSgDT3hoVwVsuVzl8iQ7mespBWCLbPtFCix1zV1Qb3v79+JAHXwWxwi7MLMaDRYvnrYaMII712ym13SZYari6Q7CqhHTW63vW51m9xIA69NnbgWRKqa/twggs/uyYnASD2azq2eZLI4gCJKlzMdDrpN7YoOsD0h//ga00KnMN7+kv6K8zQGwbO/TXHYvMMhI+fnXk12z/Iw2T8HBsQoq8/mUgTEYnNUUnCe1P3N3BDqSymoPgWdqE/UtN3pEdu41ZFVAQ0etGyUO97msgzqGh8rnlgIGbTIV0t32CaZqDopxQM1gQloyZmBGVCCnnZt1+IYTeDvfD+vJ++NzF1HhYKILWAPyl0taW0gnOyCj46NaaLY3f0eW8KVC8a3xZIBfwNYTDZXIef8aXmSf4pbdDCdw1uLy5LanyQO3kbTYSzcPLGrJuC8VHBbfV003XiwV+aPHStSWK8uKxxWkzE9qV7SzjYkwtltb8xmzIOY72sKw0HyH6JczfGRi2jsewxOzGYo8SIwQ2pfH+FGNfOk3NWwKSW9w/uAXmtacaPE47Khj/8E6VOAYw91v4FT0hxJPu7Tb51V8pb3FP9TOdPK2ZicNqcOv3PDba4+vSTi266QCvo1Isyj7VYhxVIttP2etWkLc7SrBv9KkmIw3I5GkHQsj9slR/qvcgDKQXFwnoUnQGxcYx9Ukor6cCeYHXKdh7J8ZV3W9dWc6elByTKxyRvRNLw4DUXPFMPUX4WvD8fgd21SkAcJqITC1GYvJeRHSaIGpuLXf9MHBaisrQGLcDwhDNBEAILWZNs7nx5o0feJv7BVAN+fGfToqajY0/ajOlqactTCio+8sQk5UEYaYn1WE/Zq8CgJaWKjycmAHk71UoQyNXoqP99Wtrdj8SNQ9tnAArb0WXzNPyooOpYzyU/aZPMzxhN8jI8H361RuBTdtX8GLKVQMM7xoGBZlSUOBIzikRJr/2QBbuoIX8qmynyykgMsSjx4jjzVWq0uFgZaA07/KBTZk0Jf2VNzcjel8WtGFlib6sAnEZ6RSsarG5TJJ+qVLEPf0eq9fa+0iU6BVsckJpTsFQJ1Ryc2pbSGwIGss/tRYwyjYIDNENp7z5HnKyYOYC5xX4SFRzQCG2O21eGFIZBc//+2eKAcuznrHAZ8htQpzT+Ka0JPUV1xCZRq/F67d54ep9Cie4P/JTVwqzB7wHBjwNHXvumVwrR6mCJzMuAGxW5OsWyLXzUoEU5/zX99VZ26oHuSwrq+pR5s66iMSSCCf40g3DJ+7NBJvsEusovAfgMgZ0BVi7QEt8l0JD4ZwCswr5Vo+g3N6lv7gvmf8h9pGfl2aLZ17TYWtzd7kjKwli9ygXgf9HWt/iV0lrn0O0GixT4oU3e1933kQfh8O7orfuMhqOUAbP4r6Fdcab/E+ZsAKLbWgWQV73WNmsgV4zCpCYtNAQWA9j+EYTYAifFwm4zZ6NIgsO6f9wBXL8d80ETU8GpoTYr4OyQs17/B/q7dFBG/NyxiFpXVoc6SB8kdVJ/JjhksZMGtSOx4zq4JgstiwBY9zfozKNjMAEstTLf3Ny81Kn5Bx9wPgrTAXr0V2aMgcEakTCzwOvg1X0Db0Gq5nVWL+eHVPjYtvWIhXoA1UdtbVxyClt253zAKVS9jRnX+5sky/asepjoAiaiGcO7Tyh8WQYoyLPzdHD/WQrtqdkgKUPn/+XPznzKyvXsXTDnDLUb9pdOZQQQTEnW3LZkmAtlfoyfxXm+bGwfzUFydnGhmkHUlXTzlRcZRPw98GHGX9/BBlmA=', 'NgUdLi02j9105GsOXgZgmA/efiX8Iex7x3bY5ksliBEO8VevhXo5hlIMMXwn8mgYaDJGRzewfzBJG1mNrk1ytQ==', 'nRv20pY7uhKCOgv4rOWdh0m5CUOmDH8tXQN
            Source: classification engineClassification label: mal100.troj.evad.winPS1@4/5@3/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxnp3xch.mql.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: N1f691bk5G.ps1ReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: schannel.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 4.2.powershell.exe.23cb36e0000.0.raw.unpack, c599d343cac5014aad62aae883c42172b.cs.Net Code: c14bb2c7302fd95407b5e64edfbc46414 System.Reflection.Assembly.Load(byte[])
            Source: 4.2.powershell.exe.23cb68fc0b8.6.raw.unpack, c599d343cac5014aad62aae883c42172b.cs.Net Code: c14bb2c7302fd95407b5e64edfbc46414 System.Reflection.Assembly.Load(byte[])
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, xrossUpUgDCJrcSEI.cs.Net Code: nOoZahaniTFF System.AppDomain.Load(byte[])
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7C105501B push 8B485E45h; iretd 4_2_00007FF7C1055020
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF7C10500BD pushad ; iretd 4_2_00007FF7C10500C1
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, BGdjDDpgXZdI.csHigh entropy of concatenated method names: 'VvznAZMSelWH', 'rZtkoDGEuzAf', 'NqXffOYeALLeoVmZl', 'cqhTNJjvrwLmZ', 'XAUzuNIIifMSBkBnA', 'aqMTzLLmknnK', 'opHXlstebrMYzK', 'vTYYhyfeTSN', 'QsBrxZsssig', 'OlbygUKhPPgbra'
            Source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, TUsMcMDxLo.csHigh entropy of concatenated method names: 'CqnoGKqodh', 'SdYLFIZlxIrMD', 'NPukkKbqHQkAA', 'kQvJJnzylSR', 'dkNHbIsXjTEa', 'DqFabvntiuwcPmpJt', 'NoVTeUWwRrrordIQ', 'deTFpRPLpi', 'FcaBKFLMUTtkJ', 'xZLyKkTQEHR'

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5420, type: MEMORYSTR
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5420, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: powershell.exe, 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 1740000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 4F10000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3372Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3642Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 1548Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 8439Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5948Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6052Thread sleep count: 1548 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6052Thread sleep time: -1548000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6052Thread sleep count: 8439 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6052Thread sleep time: -8439000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: aspnet_compiler.exe, 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
            Source: aspnet_compiler.exe, 00000007.00000002.3758656562.0000000005520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: aspnet_compiler.exe, 00000007.00000002.3758656562.0000000005520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 412000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 414000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: EEE008Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb53fb788.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb485bc30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.powershell.exe.23cb483ddf0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5420, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		211
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		31
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		211
            Process Injection            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive11
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            N1f691bk5G.ps121%ReversingLabsScript-PowerShell.Backdoor.Asyncrat

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://localhost:3030/Service.asmx0%Avira URL Cloudsafe
            ducksex.ddnsfree.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ducksex.ddnsfree.com
            		178.208.169.197
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              ducksex.ddnsfree.comtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://localhost:3030/Service.asmxpowershell.exe, 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB583A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316089103.0000023CB36E0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB623A000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://aka.ms/pscore68powershell.exe, 00000004.00000002.1316341250.0000023CB3761000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1316341250.0000023CB4389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1316341250.0000023CB3761000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1316341250.0000023CB4389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1316341250.0000023CB4389000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000004.00000002.1358069077.0000023CC3D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  178.208.169.197
                                  		ducksex.ddnsfree.comNetherlands
                                  		22363PHMGMT-AS1UStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1562422
                                  Start date and time:2024-11-25 15:21:24 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 11s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:12
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:N1f691bk5G.ps1
                                  renamed because original name is a hash value
                                  Original Sample Name:d4f4d3196d92b306f65ba4f1f90ec73403803530a58196b48db38210e3e3047d.ps1
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winPS1@4/5@3/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 14
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .ps1
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: N1f691bk5G.ps1

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  09:22:18API Interceptor7x Sleep call for process: powershell.exe modified
                                  09:22:56API Interceptor8207856x Sleep call for process: aspnet_compiler.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  PHMGMT-AS1USmips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 178.208.190.219
                                  amen.ppc.elfGet hashmaliciousMiraiBrowse
                                  • 45.255.208.12
                                  2xPiYIsfF2.exeGet hashmaliciousAsyncRATBrowse
                                  • 128.90.103.230
                                  OhWWbQcp7Q.exeGet hashmaliciousAveMaria, UACMeBrowse
                                  • 128.90.129.125
                                  hb21QzBgft.exeGet hashmaliciousAveMaria, UACMeBrowse
                                  • 128.90.129.125
                                  U2DhKOFGy6.exeGet hashmaliciousAsyncRATBrowse
                                  • 128.90.129.125
                                  uVyl5BbR2M.exeGet hashmaliciousAsyncRATBrowse
                                  • 128.90.129.125
                                  ahMvIr4vjN.exeGet hashmaliciousAsyncRATBrowse
                                  • 128.90.129.125
                                  WlewaiA251.exeGet hashmaliciousAsyncRATBrowse
                                  • 128.90.129.125
                                  meORoynQKS.exeGet hashmaliciousArrowRATBrowse
                                  • 128.90.129.125

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1628158735648508
                                  Encrypted:false
                                  SSDEEP:3:Nlllul5mxllp:NllU4x/
                                  MD5:3A925CB766CE4286E251C26E90B55CE8
                                  SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                  SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                  SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:@...e................................................@..........

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlty4eam.xnw.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxnp3xch.mql.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6220
                                  Entropy (8bit):3.7161084796710315
                                  Encrypted:false
                                  SSDEEP:48:yjATFdOL0CgDioU2fPiukvhkvklCyw3gq0jsAlLNSogZo4K0jsAl/NSogZoc1:7nTCgS4rkvhkvCCt7gsACH8gsAiHX
                                  MD5:7A222E9D288DE1D6C420B3788B4CD6A7
                                  SHA1:ABC1A3BD084C61D5820ADB79AB1D8B5BCBC1E387
                                  SHA-256:C8EC6F1894DEEC6C2210F4F824D00B3B95F64AC0ACC7C390114F04B6C4A93083
                                  SHA-512:B3C934C65C02BDA0EB5BE5094256E8458F6B608C6D44F2FDE7B5A39488887944E7136ABAF0D4FC0EE66AA5C43CF85E1B2296854CF9CD3A9D9F947D7A3474655D
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ....N.5q...,.imE?..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...fm.hE?..Y.wmE?......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NyY.r...........................c..A.p.p.D.a.t.a...B.V.1.....yY.r..Roaming.@......EW)NyY.r..........................Y...R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)NyY.r..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)NyY.r..............................W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)NyY.r....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)NyY.r....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)NyY.r................

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9RQ765J2TNLQ7VMQB78E.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6220
                                  Entropy (8bit):3.7161084796710315
                                  Encrypted:false
                                  SSDEEP:48:yjATFdOL0CgDioU2fPiukvhkvklCyw3gq0jsAlLNSogZo4K0jsAl/NSogZoc1:7nTCgS4rkvhkvCCt7gsACH8gsAiHX
                                  MD5:7A222E9D288DE1D6C420B3788B4CD6A7
                                  SHA1:ABC1A3BD084C61D5820ADB79AB1D8B5BCBC1E387
                                  SHA-256:C8EC6F1894DEEC6C2210F4F824D00B3B95F64AC0ACC7C390114F04B6C4A93083
                                  SHA-512:B3C934C65C02BDA0EB5BE5094256E8458F6B608C6D44F2FDE7B5A39488887944E7136ABAF0D4FC0EE66AA5C43CF85E1B2296854CF9CD3A9D9F947D7A3474655D
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ....N.5q...,.imE?..z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...fm.hE?..Y.wmE?......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NyY.r...........................c..A.p.p.D.a.t.a...B.V.1.....yY.r..Roaming.@......EW)NyY.r..........................Y...R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)NyY.r..........................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)NyY.r..............................W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)NyY.r....................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)NyY.r....................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)NyY.r................

                                  Static File Info

                                  General

                                  File type:ASCII text, with very long lines (64623)
                                  Entropy (8bit):3.1900458877489832
                                  TrID:
                                    File name:N1f691bk5G.ps1
                                    File size:255'748 bytes
                                    MD5:33b6c435bdbbec12ae8cba21eb6d105f
                                    SHA1:41d43dc4ec1187e6120f26158e074e39475b0815
                                    SHA256:d4f4d3196d92b306f65ba4f1f90ec73403803530a58196b48db38210e3e3047d
                                    SHA512:8b11308f7e16dc54e1559591d2d741f0a53d0a90c7ddb33bc817d15edcdc46dc4ebedd121925da4c791d7bb8b0a6a74334f63253f6fc3af453765f62826e4a4f
                                    SSDEEP:1536:NYzrwIovquFT/TO5HiSujupnwIE6YcG47rwnv1IJ5YH1llykZXvyd2b5uDSPVZrB:b
                                    TLSH:3044385303851BBDF69D0EC9C94B245B20F2D46B7D251298EBB36EE7BC3B9849430636
                                    File Content Preview:.$love = "C:\Windows\Microsoft.".$love1 ="NET\Framework\v4.0.30319\aspnet_compiler.exe".$GBDWVQYONBIQDJWMDKUVUR = $love + $love1.$love2 = "C:\Windows\Microsoft.".$love22 = "NET\Framework\v2.0.50727\aspnet_compiler.exe".$TPNSJKKGOXEEPYKERBJHCHD = $love2 +

                                    File Icon

                                    Icon Hash:3270d6baae77db44

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 25, 2024 15:22:25.181282997 CET497156161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:25.305130959 CET616149715178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:22:25.306546926 CET497156161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:25.320569038 CET497156161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:25.440721989 CET616149715178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:22:47.196825027 CET616149715178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:22:47.198156118 CET497156161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:52.394501925 CET497156161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:52.395572901 CET497806161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:52.514466047 CET616149715178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:22:52.515522957 CET616149780178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:22:52.515639067 CET497806161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:52.516222000 CET497806161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:22:52.636230946 CET616149780178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:14.503267050 CET616149780178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:14.503439903 CET497806161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:19.517131090 CET497806161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:19.518198013 CET498406161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:19.687825918 CET616149780178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:19.687866926 CET616149840178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:19.688067913 CET498406161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:19.688605070 CET498406161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:19.808636904 CET616149840178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:41.603882074 CET616149840178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:41.604089975 CET498406161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:46.667383909 CET498406161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:46.771020889 CET499016161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:46.787462950 CET616149840178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:46.891284943 CET616149901178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:23:46.891405106 CET499016161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:46.906605005 CET499016161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:23:47.030575037 CET616149901178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:08.823280096 CET616149901178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:08.823343039 CET499016161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:13.830061913 CET499016161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:13.834255934 CET499616161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:13.954343081 CET616149901178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:13.959095001 CET616149961178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:13.959450006 CET499616161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:13.959801912 CET499616161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:14.084722042 CET616149961178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:35.895684004 CET616149961178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:35.895781994 CET499616161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:40.908123970 CET499616161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:41.263326883 CET616149961178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:41.285124063 CET499816161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:41.405666113 CET616149981178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:24:41.407054901 CET499816161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:41.407558918 CET499816161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:24:41.529247999 CET616149981178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:03.365143061 CET616149981178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:03.365223885 CET499816161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:08.376687050 CET499816161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:08.496691942 CET616149981178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:08.518354893 CET499826161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:08.638715029 CET616149982178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:08.638804913 CET499826161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:08.639359951 CET499826161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:08.759788990 CET616149982178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:30.544533968 CET616149982178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:30.544610023 CET499826161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:35.548753023 CET499826161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:35.550199032 CET499836161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:35.669038057 CET616149982178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:35.670193911 CET616149983178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:35.670289993 CET499836161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:35.670928001 CET499836161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:25:35.792011023 CET616149983178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:57.622186899 CET616149983178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:25:57.622255087 CET499836161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:26:02.658389091 CET499836161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:26:02.678416014 CET499846161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:26:02.779140949 CET616149983178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:26:02.800168991 CET616149984178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:26:02.803518057 CET499846161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:26:02.806425095 CET499846161192.168.2.10178.208.169.197
                                    Nov 25, 2024 15:26:02.929914951 CET616149984178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:26:24.716734886 CET616149984178.208.169.197192.168.2.10
                                    Nov 25, 2024 15:26:24.716856003 CET499846161192.168.2.10178.208.169.197

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 25, 2024 15:22:24.582618952 CET5101453192.168.2.101.1.1.1
                                    Nov 25, 2024 15:22:25.178617954 CET53510141.1.1.1192.168.2.10
                                    Nov 25, 2024 15:24:40.909413099 CET4967653192.168.2.101.1.1.1
                                    Nov 25, 2024 15:24:41.284198999 CET53496761.1.1.1192.168.2.10
                                    Nov 25, 2024 15:25:08.377644062 CET6050653192.168.2.101.1.1.1
                                    Nov 25, 2024 15:25:08.516274929 CET53605061.1.1.1192.168.2.10

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 25, 2024 15:22:24.582618952 CET192.168.2.101.1.1.10x5adeStandard query (0)ducksex.ddnsfree.comA (IP address)IN (0x0001)false
                                    Nov 25, 2024 15:24:40.909413099 CET192.168.2.101.1.1.10x31aStandard query (0)ducksex.ddnsfree.comA (IP address)IN (0x0001)false
                                    Nov 25, 2024 15:25:08.377644062 CET192.168.2.101.1.1.10xae59Standard query (0)ducksex.ddnsfree.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 25, 2024 15:22:25.178617954 CET1.1.1.1192.168.2.100x5adeNo error (0)ducksex.ddnsfree.com178.208.169.197A (IP address)IN (0x0001)false
                                    Nov 25, 2024 15:24:41.284198999 CET1.1.1.1192.168.2.100x31aNo error (0)ducksex.ddnsfree.com178.208.169.197A (IP address)IN (0x0001)false
                                    Nov 25, 2024 15:25:08.516274929 CET1.1.1.1192.168.2.100xae59No error (0)ducksex.ddnsfree.com178.208.169.197A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:4
                                    Start time:09:22:15
                                    Start date:25/11/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\N1f691bk5G.ps1"
                                    Imagebase:0x7ff7b2bb0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.1316341250.0000023CB6DDA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.1316341250.0000023CB512D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000004.00000002.1316341250.0000023CB472D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:09:22:15
                                    Start date:25/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:09:22:19
                                    Start date:25/11/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                    Imagebase:0xc60000
                                    File size:56'368 bytes
                                    MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.3742761083.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:moderate
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:12
                                      Total number of Limit Nodes:0

                                      Executed Functions

                                      Function 00007FF7C1058F9D Relevance: 2.1, APIs: 1, Instructions: 598processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 7ff7c1058f9d-7ff7c1059003 1 7ff7c1059029-7ff7c1059078 0->1 2 7ff7c1059005-7ff7c1059028 0->2 5 7ff7c10590ed-7ff7c105912c 1->5 6 7ff7c105907a-7ff7c1059099 1->6 2->1 9 7ff7c105912e-7ff7c105914d 5->9 10 7ff7c10591a1-7ff7c105923b 5->10 6->5 11 7ff7c105909b-7ff7c10590a5 6->11 9->10 18 7ff7c105914f-7ff7c1059159 9->18 20 7ff7c105923d-7ff7c105925c 10->20 21 7ff7c10592b0-7ff7c1059404 CreateProcessA 10->21 12 7ff7c10590a7-7ff7c10590ba 11->12 13 7ff7c10590df-7ff7c10590e7 11->13 15 7ff7c10590bc 12->15 16 7ff7c10590be-7ff7c10590d1 12->16 13->5 15->16 16->16 19 7ff7c10590d3-7ff7c10590db 16->19 22 7ff7c105915b-7ff7c105916e 18->22 23 7ff7c1059193-7ff7c105919b 18->23 19->13 20->21 28 7ff7c105925e-7ff7c1059268 20->28 38 7ff7c105940c-7ff7c10594fc call 7ff7c1059520 21->38 39 7ff7c1059406 21->39 25 7ff7c1059170 22->25 26 7ff7c1059172-7ff7c1059185 22->26 23->10 25->26 26->26 29 7ff7c1059187-7ff7c105918f 26->29 30 7ff7c105926a-7ff7c105927d 28->30 31 7ff7c10592a2-7ff7c10592aa 28->31 29->23 33 7ff7c105927f 30->33 34 7ff7c1059281-7ff7c1059294 30->34 31->21 33->34 34->34 35 7ff7c1059296-7ff7c105929e 34->35 35->31 51 7ff7c10594fe-7ff7c1059504 38->51 52 7ff7c1059522-7ff7c1059544 38->52 39->38 53 7ff7c105950b-7ff7c105951f 51->53 54 7ff7c1059506 51->54 55 7ff7c105955c-7ff7c1059563 52->55 56 7ff7c1059546-7ff7c105954e 52->56 53->52 54->53 58 7ff7c105957b-7ff7c1059582 55->58 59 7ff7c1059565-7ff7c105956d 55->59 56->55 57 7ff7c1059550-7ff7c1059551 56->57 57->55 60 7ff7c105959a-7ff7c10595a1 58->60 61 7ff7c1059584-7ff7c105958c 58->61 59->58 62 7ff7c105956f-7ff7c1059570 59->62 64 7ff7c10595d9-7ff7c10595f6 60->64 65 7ff7c10595a3-7ff7c10595ce 60->65 61->60 63 7ff7c105958e-7ff7c105958f 61->63 62->58 63->60 65->64
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1379201273.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ff7c1050000_powershell.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 5fc37e36a3241825235ace4910bdc8742d84f66c20e3661bcad9017574f50abb
                                      • Instruction ID: aeba876b90884385f9f3cd63f805226004ae71b36f6629992b526bca072270ea
                                      • Opcode Fuzzy Hash: 5fc37e36a3241825235ace4910bdc8742d84f66c20e3661bcad9017574f50abb
                                      • Instruction Fuzzy Hash: EB124D70918A8D8FEBA8EF18CC597E977E1FB59310F40413AD80ED7291DB74A681CB85
                                      Function 00007FF7C1058A7D Relevance: 1.7, APIs: 1, Instructions: 217injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1379201273.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ff7c1050000_powershell.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 56fce12b41d2cef80e22e9d7164228436f1dbe7bb21b33f7f1ccd227a06ae83e
                                      • Instruction ID: 50a912d9f4d478d39c934bd12bf4bdb4feb8983677e6291375b18ea2192f1d8e
                                      • Opcode Fuzzy Hash: 56fce12b41d2cef80e22e9d7164228436f1dbe7bb21b33f7f1ccd227a06ae83e
                                      • Instruction Fuzzy Hash: 8C614970908A1C8FDB94DF68C885BE9BBF1FB69311F1082AAD44CE3255DB74A985CF40
                                      Function 00007FF7C1058725 Relevance: 1.7, APIs: 1, Instructions: 181threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1379201273.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ff7c1050000_powershell.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: bea52138693507e126838b0f9e126697ded0431d09804274d5d6f42e80f1ad95
                                      • Instruction ID: 3ac4e2645a1d5c366dec94c35d8e230978b0d6d10f817115d6baa04aede86dab
                                      • Opcode Fuzzy Hash: bea52138693507e126838b0f9e126697ded0431d09804274d5d6f42e80f1ad95
                                      • Instruction Fuzzy Hash: 93514970908A4D8FDB54EFA8C845BEDBBF1FB59311F10826AD048E3255DB74A485CF40
                                      Function 00007FF7C10585CD Relevance: 1.7, APIs: 1, Instructions: 156threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1379201273.00007FF7C1050000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ff7c1050000_powershell.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: c2aa29921aa6a8098251d5790f72f47c807767ea7df746b8c35530f8ca4c8909
                                      • Instruction ID: 2ee7d0196c66253d6953fc7c472b0a849b653aa8d440ad782e819f8aefacde08
                                      • Opcode Fuzzy Hash: c2aa29921aa6a8098251d5790f72f47c807767ea7df746b8c35530f8ca4c8909
                                      • Instruction Fuzzy Hash: 4F516970D0874C8FDB55DFA8C885AEDBBF0FF56320F1041AAD449E7292DA74A486CB51
                                      Function 00007FF7C1123219 Relevance: .3, Instructions: 333COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1379819151.00007FF7C1120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ff7c1120000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99abbe93ed0740fd21711513552102bd773a58e2508eb9407e1f3b02da3e685c
                                      • Instruction ID: 0a74750c6411d156171f698cac1eaa45d035d844d256fe64d4f3d1855957b387
                                      • Opcode Fuzzy Hash: 99abbe93ed0740fd21711513552102bd773a58e2508eb9407e1f3b02da3e685c
                                      • Instruction Fuzzy Hash: 20917931E1CAC98FE79EEE2868511B8BBD1EF4A670B8841FED049C7183DD58AC068351
                                      Function 00007FF7C1122240 Relevance: .3, Instructions: 309COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 160 7ff7c1122240-7ff7c1122287 162 7ff7c112228d-7ff7c1122297 160->162 163 7ff7c11223df-7ff7c1122439 160->163 164 7ff7c1122299-7ff7c11222b1 162->164 165 7ff7c11222b3-7ff7c11222c0 162->165 179 7ff7c112243b-7ff7c1122462 163->179 180 7ff7c1122464-7ff7c1122491 163->180 164->165 170 7ff7c1122380-7ff7c112238a 165->170 171 7ff7c11222c6-7ff7c11222c9 165->171 176 7ff7c1122399-7ff7c11223dc 170->176 177 7ff7c112238c-7ff7c1122398 170->177 171->170 174 7ff7c11222cf-7ff7c11222d7 171->174 174->163 178 7ff7c11222dd-7ff7c11222e7 174->178 176->163 182 7ff7c11222e9-7ff7c11222fe 178->182 183 7ff7c1122300-7ff7c1122304 178->183 179->180 199 7ff7c1122494-7ff7c11224a5 180->199 200 7ff7c1122493 180->200 182->183 183->170 186 7ff7c1122306-7ff7c1122309 183->186 189 7ff7c112230b-7ff7c112232e 186->189 190 7ff7c1122330 186->190 193 7ff7c1122332-7ff7c1122334 189->193 190->193 193->170 198 7ff7c1122336-7ff7c1122349 193->198 205 7ff7c1122350-7ff7c1122359 198->205 203 7ff7c11224a8-7ff7c11224c3 199->203 204 7ff7c11224a7 199->204 200->199 204->203 206 7ff7c112235b-7ff7c1122368 205->206 207 7ff7c1122372-7ff7c112237f 205->207 206->207 209 7ff7c112236a-7ff7c1122370 206->209 209->207
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1379819151.00007FF7C1120000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1120000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ff7c1120000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2880f0a2de86a9dcb2d818cbab064f99f56c7c595cb14b3b38dd886f0f547bab
                                      • Instruction ID: 0804bdfab7c630d4c232042f4aa74aa05edb95f61167f71f49322da3bcd06f83
                                      • Opcode Fuzzy Hash: 2880f0a2de86a9dcb2d818cbab064f99f56c7c595cb14b3b38dd886f0f547bab
                                      • Instruction Fuzzy Hash: 6D914831E0CA898FE795EF2C68546B8BBE1EF59720B8802FAD04DC7193DD5CAC058761

                                      Execution Graph

                                      Execution Coverage:6.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:39
                                      Total number of Limit Nodes:3
                                      execution_graph 15138 17484e0 15140 174850e 15138->15140 15142 1747a6c 15140->15142 15141 174852e 15141->15141 15143 1747a77 15142->15143 15144 1749054 15143->15144 15146 174a8e0 15143->15146 15144->15141 15147 174a901 15146->15147 15148 174a925 15147->15148 15150 174aa90 15147->15150 15148->15144 15151 174aa9d 15150->15151 15152 174aad6 15151->15152 15154 1748cf8 15151->15154 15152->15148 15155 1748d03 15154->15155 15157 174ab48 15155->15157 15158 1748d2c 15155->15158 15157->15157 15159 1748d37 15158->15159 15162 1748d3c 15159->15162 15161 174abb7 15161->15157 15163 1748d47 15162->15163 15168 174bb6c 15163->15168 15165 174c138 15165->15161 15166 174a8e0 2 API calls 15166->15165 15167 174bf10 15167->15165 15167->15166 15169 174bb77 15168->15169 15170 174d31a 15169->15170 15173 174d378 15169->15173 15177 174d368 15169->15177 15170->15167 15174 174d3bb 15173->15174 15175 174d3c6 KiUserCallbackDispatcher 15174->15175 15176 174d3f0 15174->15176 15175->15176 15176->15170 15178 174d378 15177->15178 15179 174d3c6 KiUserCallbackDispatcher 15178->15179 15180 174d3f0 15178->15180 15179->15180 15180->15170 15181 1747ec8 DuplicateHandle 15182 1747f5e 15181->15182 15183 17429c8 15184 1742a0c SetWindowsHookExW 15183->15184 15186 1742a52 15184->15186

                                      Executed Functions

                                      Function 01747EC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 134 1747ec0-1747f5c DuplicateHandle 135 1747f65-1747f82 134->135 136 1747f5e-1747f64 134->136 136->135
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01747F4F
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3746438875.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1740000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: c713a938a66bd5307548577aa4494aa29c3124c9d50fbce3e6c312887adc997c
                                      • Instruction ID: bb5c5e40e7e5f9bb3400fa35648525fb3838dea4c7b393abe142692a32b8c789
                                      • Opcode Fuzzy Hash: c713a938a66bd5307548577aa4494aa29c3124c9d50fbce3e6c312887adc997c
                                      • Instruction Fuzzy Hash: A821E0B59002589FDB10CFAAD584AEEBBF5EB48310F24841AE918A7350D374A951CFA0
                                      Function 01747EC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 139 1747ec8-1747f5c DuplicateHandle 140 1747f65-1747f82 139->140 141 1747f5e-1747f64 139->141 141->140
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01747F4F
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3746438875.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1740000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 435a603ca1b5d3e33b7d1e922f5ea1d616c0d64668a6b84eefd18c97556ae0f0
                                      • Instruction ID: 4411b8d36c52a2b7043a27b2bd1e9a08ef27e3e83db50be5a318fcf37b64865a
                                      • Opcode Fuzzy Hash: 435a603ca1b5d3e33b7d1e922f5ea1d616c0d64668a6b84eefd18c97556ae0f0
                                      • Instruction Fuzzy Hash: D521E2B59003089FDB10CFAAD984ADEFBF8EB48310F14841AE918A3350D374A941CFA4
                                      Function 017429C2 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 144 17429c2-1742a12 147 1742a14 144->147 148 1742a1e-1742a50 SetWindowsHookExW 144->148 151 1742a1c 147->151 149 1742a52-1742a58 148->149 150 1742a59-1742a7e 148->150 149->150 151->148
                                      APIs
                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01742A43
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3746438875.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1740000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 2273e7f9f4d2a4c587e8733d9d7264ea1dab339963a41064fee79db5f36230b5
                                      • Instruction ID: ae95883b55ee2e8acfdd451bba4c713c07169e0b2637ec6fdf109f73c5f174cf
                                      • Opcode Fuzzy Hash: 2273e7f9f4d2a4c587e8733d9d7264ea1dab339963a41064fee79db5f36230b5
                                      • Instruction Fuzzy Hash: BC2135B5D002098FDB24DF9AD944BEEFBF5FB88310F14842AE814A7250C774A941CFA0
                                      Function 017429C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 155 17429c8-1742a12 157 1742a14 155->157 158 1742a1e-1742a50 SetWindowsHookExW 155->158 161 1742a1c 157->161 159 1742a52-1742a58 158->159 160 1742a59-1742a7e 158->160 159->160 161->158
                                      APIs
                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01742A43
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3746438875.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1740000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 2f8bff2175be8be338030bb7dc709495cdb98570165e5d09f6868d2b00ddd85f
                                      • Instruction ID: aa2f6ea3dee3e4f6b7037c4d4b796655d14210208f7b3aa39a0f636def36643d
                                      • Opcode Fuzzy Hash: 2f8bff2175be8be338030bb7dc709495cdb98570165e5d09f6868d2b00ddd85f
                                      • Instruction Fuzzy Hash: E1211575D002098FDB24DF9AD944BEEFBF5FB88310F148429E815A7250C774A945CFA1
                                      Function 0174D368 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 165 174d368-174d3c4 168 174d3c6-174d3ee KiUserCallbackDispatcher 165->168 169 174d412-174d42b 165->169 170 174d3f7-174d40b 168->170 171 174d3f0-174d3f6 168->171 170->169 171->170
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0174D3DD
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3746438875.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1740000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: f29696a9f5d4a3638340dd2c2b502fc3d5012b139a866dee5357679b1c2ce620
                                      • Instruction ID: afe01a067f618dfc30eeea14879016ea337e7d55a4e841fa05d69b8c33cdfcff
                                      • Opcode Fuzzy Hash: f29696a9f5d4a3638340dd2c2b502fc3d5012b139a866dee5357679b1c2ce620
                                      • Instruction Fuzzy Hash: 7811E6B5804399DFDB20CF9AC5497EEBFF4EB08310F1444A9E588A7682C7399504CBB5
                                      Function 0174D378 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 173 174d378-174d3c4 175 174d3c6-174d3ee KiUserCallbackDispatcher 173->175 176 174d412-174d42b 173->176 177 174d3f7-174d40b 175->177 178 174d3f0-174d3f6 175->178 177->176 178->177
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0174D3DD
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3746438875.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_1740000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: ab06a32784aef99b1523fae24aab02ab4e72f5545ad055565c98692a812e08d3
                                      • Instruction ID: 50407794f2830a691023622b9a28d3adffdb9a569b6cebf38622eec0f74b5946
                                      • Opcode Fuzzy Hash: ab06a32784aef99b1523fae24aab02ab4e72f5545ad055565c98692a812e08d3
                                      • Instruction Fuzzy Hash: 7D11C1B1804399CFDB20CF9AC5097EEBFF4EB08310F148099E599A3282C7396604CBB5
                                      Function 0125D0FC Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3744030792.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_125d000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b90a1b2a0ca70dc708ae557827a7f2ccdc7b4beb5a837a8acf89afe9162b3ca
                                      • Instruction ID: d14c54363e2d0d23d853e445c79d2ba03f57edac9d53b1f14e5cd5965e8ea815
                                      • Opcode Fuzzy Hash: 8b90a1b2a0ca70dc708ae557827a7f2ccdc7b4beb5a837a8acf89afe9162b3ca
                                      • Instruction Fuzzy Hash: FA2122B1514208DFEB45DF94C9C0B26BBA1EB88224F24C56DDD0A4B256C37AD846CA62
                                      Function 0125D0F7 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3744030792.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_125d000_aspnet_compiler.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                      • Instruction ID: 4294e0a96c84f512dd7894ff57b6575dc1dc070e4d0a301fa31219e8a50c51ad
                                      • Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
                                      • Instruction Fuzzy Hash: 1B11DD75504284CFDB06CF54D9C4B15BFB1FB84314F28C6AADD494B656C33AD44ACBA1