Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
801.ps1

Overview

General Information

Sample name:801.ps1
Analysis ID:1571210
MD5:466bd5902510f9ad176108dd1c5f7979
SHA1:586d8326df861aa4968495436a5e91beef85c585
SHA256:3efff01d7236dc49abf420b40c3460c89ffb3957933ba518dc5ad60d12261c35
Tags:ps1user-lontze7
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_compiler.exe (PID: 4144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "windows-cam.casacam.net", "Port": "801", "Version": "A 13", "MutexName": "AsyncMutex_6SI8OkPnkcvfg", "Autorun": "false", "Group": "true"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xda3e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x1e89ec:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x1ec550:$a2: Stub.exe
      • 0x1ec5e0:$a2: Stub.exe
      • 0x1e4ceb:$a3: get_ActivatePong
      • 0x1e8c04:$a4: vmware
      • 0x1e8a7c:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x1e5e18:$a6: get_SslClient
      00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.powershell.exe.14a809469e8.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.powershell.exe.14a809469e8.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0xbdac:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0xf238:$a2: Stub.exe
          • 0xf2c8:$a2: Stub.exe
          • 0x80ab:$a3: get_ActivatePong
          • 0xbfc4:$a4: vmware
          • 0xbe3c:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x91d8:$a6: get_SslClient
          0.2.powershell.exe.14a809469e8.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0xbe3e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          3.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            3.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              Click to see the 12 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: AspNetCompiler Execution
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3752, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 4144, ProcessName: aspnet_compiler.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", ProcessId: 3752, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1", ProcessId: 3752, ProcessName: powershell.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000003.00000002.4474354460.00000000029F1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "windows-cam.casacam.net", "Port": "801", "Version": "A 13", "MutexName": "AsyncMutex_6SI8OkPnkcvfg", "Autorun": "false", "Group": "true"}
              Multi AV Scanner detection for submitted file
              Source: 801.ps1ReversingLabs: Detection: 26%
              Source: 801.ps1Virustotal: Detection: 32%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: windows-cam.casacam.net
              Yara detected Generic Downloader
              Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 163.172.125.253:801
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: windows-cam.casacam.net
              Source: powershell.exe, 00000000.00000002.2074011149.0000014A90257000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2081730117.0000014AE93C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2081730117.0000014AE93C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2081730117.0000014AE93C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A81219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000000.00000002.2074011149.0000014A90257000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4144, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: Process Memory Space: aspnet_compiler.exe PID: 4144, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F641A80_2_00007FF848F641A8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848F631780_2_00007FF848F63178
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 3_2_027FE3283_2_027FE328
              Source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: Process Memory Space: aspnet_compiler.exe PID: 4144, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, zdMzlRgcfpUCBXT.csBase64 encoded string: 'uSvA3HBMWrbsRJ4yP1OUWCkr3SX6ZkTGr0sVAdN9MFg7pkyhhDkEGKVEJFx//0wKh28Ri++rwRabxkVsPnDUDg==', '+qkTUzQ33I2nR/XduFPB8ttC/RuTwDxoQqpeCDAhlQTXW4qp6TgkWL7bhMQEgV/r4EeVMns1AYCv1bJdm0vDyA==', 'y72XU2iZsvvK+L7DQjHv5FyeGRrwjdXCI7l8cduJxaa7a9m9+oW8P0aqoyK7UtetYSRPMY8xlXv3ami/tntpcOhovsIGjHieE6gC9XLP22akYWNpynjuP2losBURbuGjn9IbUdRMThaoLUaWkaoc2I5Im5WigIXSbrL0BP9OSw9gjxKEjL0BUo0qIef/sj0HBW32jozKD5GRIZWWL/l6Z4pPIxpXL8wP68CHWEbHkwQmv0ts90AWRmS5+y1QT2U6h/Tmigp4jT7eNmfW3ob57QSa1h7cVSg5m+giXyyzSMLocHBXJURl0fjI7n+6M0ZADvka04o60SV2ts7/4+eaImRyTPsmqV3zfQ9JTom29yUKHsKZagQ2MS6iE9nSmBCXijcdHOdM/OMo7pNPkUiCYhWuB6RTRD6aAMnfWCuLjSS88jusxJG8KuAS5RFo0aBgBLcAT5oUiVeBJYtaOB4Y3UpVREztj2/pMMtf828+Hzg37bsIhkRVYgTv0I6SpnsTH+/WzF9K6VM4saOhiAeIOJhNPIhf8a6OZ5/SevsbYzX57iKQA5MipnkNBoteEWqFy4PTvH0psQB77aBDuMAUvemdHbe4XwONdywiZUNyAr+vP9m4qzMf0Emoi57XAu7LHeCdxRlDAViP0saa4/snqmITCtMVDq6/jDdROMr6QylH5epP6jsD9vB/CxpYRdbsfNgluURTFfn3gVtnpRi83eRBpN76rdfQLwWicZK1k6vfLkkDNmz2ppDQnvcFOKtWZW+Epxfd2g4xdO8mZic1czOrbzb/714cYGmjTcU6KGr3ehuXlESLfkYH+0RRuA7lZaV9YedAUZ1SjYE+FxOKyMzlReFUuatx6wHcKKE6XzAOvgjG8yR9scFDiq7qnKK3u2URPmh1gpnAnK/QaZMEO/pwPlQSZFqHOz3sQ+d4A9p5zFvsbbU9S5XqNfigq7s3qFK1mw8hjwPchYUQ38hO1w==', 'Zgh6hgA/XeK/FPhpaflGudGbgmKU9CF5X0MmuMjv+eTwr3m+VHnG3QaRR2/qHjEiMvArDFvJowPw/sJmO+Zulg==', 'olstPvFEwZgBhLwmIeAgJAXVjxmUfVyniehkn+SUSgd/iEk7/I0BXMifD+NMcyNhtJuLDnnUf9kE63dEY/ls5Q==', 'PPI3oPJnrrvOwVxLq/xEdbq6kYrC6lBbMtc5ZRzp73FExehokTA/1Dq9ueRiljITzIuE5wzYZd1PBfioBfWvn4lB4VkzU1sjJ3YT9zcU6t/jgx4L+wy8aXVyJj3p5TLp', 'JTyy1lTfvbM5r3EM8u0Vo4DwJScj6Jnd5jiWy7ibxHCFVY8+yK3uQX6O4oW5dS/BO1uo7mJMz4DH6biUen5rsvH5n+4BvBREsEs2U54vZ7nUTs+6d7F5yZ8guXskNO8b', 'xTFyoOXXFlfAfduZzQyVtDftwu7aWiTXzi88OgyEf8mWWhtr7m0UZFeri8ObCgC7sdMBXE9DEOX2TKv78OBCgQ==', 'SjEwJEw9pJirc8x8ZLurjGdMOhd5X7elbl48IouB/1R2h7BbJhSmE8NaR3cKhdYUbZecJhrgI3yh5E3b9TS7NQ=='
              Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@4/5@2/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnkcvfg
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3155z53.bri.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: 801.ps1ReversingLabs: Detection: 26%
              Source: 801.ps1Virustotal: Detection: 32%
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, CiLMkpUrsKMTbMb.cs.Net Code: SMHylhYCRmoEVp System.AppDomain.Load(byte[])
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E981BF push esp; iretd 0_2_00007FF848E981C0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E97AF7 push cs; iretd 0_2_00007FF848E97AFF
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E968D3 pushad ; ret 0_2_00007FF848E96949
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF848E98CBB push ebx; retf 0_2_00007FF848E98CD0
              Source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, ivkyaOayoQTm.csHigh entropy of concatenated method names: 'lyqQsMGZmwWNVwm', 'bcVCaTkHqi', 'jAdPxwSGadel', 'zvUjdBsROAIe', 'OnGQYQjfJqeKos', 'ILTaMoWgGTK', 'QcaUGhuBFxw', 'sDcZeBfPlbsA', 'KKbchEyIVBEl', 'DeJXERsZULOID'

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4144, type: MEMORYSTR
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4144, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLM\B(BC1|[13])[A-ZA-HJ-NP-Z0-9]{26,45}\B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 49F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3713Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6126Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 5062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 4916Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2636Thread sleep count: 5062 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2636Thread sleep time: -5062000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2636Thread sleep count: 4916 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2636Thread sleep time: -4916000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: aspnet_compiler.exe, 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
              Source: aspnet_compiler.exe, 00000003.00000002.4472646468.0000000000CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 0.2.powershell.exe.14a80f57228.3.raw.unpack, local.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
              Source: 0.2.powershell.exe.14a80f57228.3.raw.unpack, local.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
              Source: 0.2.powershell.exe.14a80f57228.3.raw.unpack, local.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num19 + 8, bytes, 4, ref bytesWritten)
              Source: 0.2.powershell.exe.14a80f57228.3.raw.unpack, local.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num19 + 8, ref buffer, 4, ref bytesWritten)
              Source: 0.2.powershell.exe.14a80f57228.3.raw.unpack, local.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num24, length, 12288, 64)
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 414000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 416000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 93D008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a809469e8.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.powershell.exe.14a80417ba8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4144, type: MEMORYSTR

              Stealing of Sensitive Information

              barindex
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: FalseQ\AppData\Roaming\Exodus\exodus.conf.json
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: AtomicI\AppData\Roaming\binance\Preferences
              Source: powershell.exe, 00000000.00000002.2084427814.00007FF849060000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
              Source: powershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: InstalledK\AppData\Roaming\Ledger Live\app.json

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		211
              Process Injection              		1
              Disable or Modify Tools              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		1
              Scheduled Task/Job              		31
              Virtualization/Sandbox Evasion              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		211
              Process Injection              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              801.ps126%ReversingLabsScript-PowerShell.Backdoor.AsyncRAT
              801.ps133%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              windows-cam.casacam.net
              		163.172.125.253
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                windows-cam.casacam.netfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2074011149.0000014A90257000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2061671791.0000014A80001000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2081730117.0000014AE93C9000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2061671791.0000014A80001000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2081730117.0000014AE93C9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000000.00000002.2061671791.0000014A81219000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2081730117.0000014AE93C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2074011149.0000014A90257000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 00000000.00000002.2074011149.0000014A90073000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        163.172.125.253
                                        		windows-cam.casacam.netUnited Kingdom
                                        		12876OnlineSASFRfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1571210
                                        Start date and time:2024-12-09 07:00:57 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 43s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:6
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:801.ps1
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winPS1@4/5@2/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 19
                                        • Number of non-executed functions: 1
                                        Cookbook Comments:
                                        • Found application associated with file extension: .ps1
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        01:01:46API Interceptor36x Sleep call for process: powershell.exe modified
                                        01:02:27API Interceptor7909305x Sleep call for process: aspnet_compiler.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        OnlineSASFRBA9qyj2c9G.exeGet hashmaliciousWhiteSnake StealerBrowse
                                        • 51.159.4.50
                                        pbnpvwfhco.elfGet hashmaliciousUnknownBrowse
                                        • 151.115.178.130
                                        nlGOh9K5X5.exeGet hashmaliciousXmrigBrowse
                                        • 51.15.193.130
                                        LfHJdrALlh.exeGet hashmaliciousXmrigBrowse
                                        • 51.15.58.224
                                        l64.elfGet hashmaliciousXmrigBrowse
                                        • 51.158.204.249
                                        Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msgGet hashmaliciousUnknownBrowse
                                        • 163.172.240.109
                                        EHak.exeGet hashmaliciousUnknownBrowse
                                        • 62.210.124.132
                                        EHak.exeGet hashmaliciousUnknownBrowse
                                        • 62.210.124.132
                                        teste.i686.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                        • 51.158.21.23
                                        teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                        • 51.158.232.110

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllultnxj:NllU
                                        MD5:F93358E626551B46E6ED5A0A9D29BD51
                                        SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                        SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                        SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3155z53.bri.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zc4vadvt.y4s.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6222
                                        Entropy (8bit):3.701383083365308
                                        Encrypted:false
                                        SSDEEP:48:oxES7YCwbU2K+h2QukvhkvklCywun2uFbtlzKSogZopOFbtlWKSogZoN1:aNYCVoMkvhkvCCtcFbtpHbFbtqHe
                                        MD5:F3D488175B129DD73845C41B49D3C859
                                        SHA1:E82EFD63A5CD3BF3C1219751E28C95B8A0FBD408
                                        SHA-256:270435BCA8C990B90D9AEE6834A31C82BA8BA58CBCC1D339EE0E9B5484DC1F41
                                        SHA-512:B94DB86233343B9A838D8B72B32CD0DE0DA789D81804B03F96FF07087C7EAF83E0DEC700C15EB198D6FB9B18E85DDA5445DC876ACDB65EF297F158BD708E2C4F
                                        Malicious:false
                                        Preview:...................................FL..................F.".. ...d.......v...I..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M..........I.......I......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y00....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y30..Roaming.@......DWSl.Y30....C.....................RRK.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y00....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y00....E.......................".W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y00....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y00....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y70....q...........

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CIQL8DYAS85FG87OGJI6.temp

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6222
                                        Entropy (8bit):3.701383083365308
                                        Encrypted:false
                                        SSDEEP:48:oxES7YCwbU2K+h2QukvhkvklCywun2uFbtlzKSogZopOFbtlWKSogZoN1:aNYCVoMkvhkvCCtcFbtpHbFbtqHe
                                        MD5:F3D488175B129DD73845C41B49D3C859
                                        SHA1:E82EFD63A5CD3BF3C1219751E28C95B8A0FBD408
                                        SHA-256:270435BCA8C990B90D9AEE6834A31C82BA8BA58CBCC1D339EE0E9B5484DC1F41
                                        SHA-512:B94DB86233343B9A838D8B72B32CD0DE0DA789D81804B03F96FF07087C7EAF83E0DEC700C15EB198D6FB9B18E85DDA5445DC876ACDB65EF297F158BD708E2C4F
                                        Malicious:false
                                        Preview:...................................FL..................F.".. ...d.......v...I..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M..........I.......I......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y00....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y30..Roaming.@......DWSl.Y30....C.....................RRK.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl.Y00....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl.Y00....E.......................".W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl.Y00....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl.Y00....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl.Y70....q...........

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (64811), with CRLF line terminators
                                        Entropy (8bit):3.2822084280395694
                                        TrID:
                                          File name:801.ps1
                                          File size:187'279 bytes
                                          MD5:466bd5902510f9ad176108dd1c5f7979
                                          SHA1:586d8326df861aa4968495436a5e91beef85c585
                                          SHA256:3efff01d7236dc49abf420b40c3460c89ffb3957933ba518dc5ad60d12261c35
                                          SHA512:c2b1c10ad2bdb6f222e48e43f973e9c1c09ed66857b6e59cc2d06b26f71557d4cb5a840779633b8897fd4c37c1ab75226935e9c5d9de4e4ab2fddfa4fae93529
                                          SSDEEP:3072:4EEkBxJ3JygS3lX0ctuyHKCEIqQWVUBFJHFe730zz7F0ejBW/IeDFUJHFZuyEHB3:hv5ygS3hjtuyHKCEIqQWVUBFJHFe73N7
                                          TLSH:EE04DE5CF742FD2FD65D6C0E210EAB376434A8AEE5FBEBD6800CD73768E58010AA6145
                                          File Content Preview:Function Binary2String(<#_11__#>[<#_11__#>String<#_11__#>] $Yatak) {.. $byteList = [System.Collections.Generic.List[<#_11__#>Byte<#_11__#>]]::new().. for ($i = 0; $i -lt $Yatak.Length; $i +=8) {.. $byteList.Add([Convert]::ToByte(<#_11__#>$Yat

                                          File Icon

                                          Icon Hash:3270d6baae77db44

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 9, 2024 07:01:56.648936033 CET49704801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:01:56.768421888 CET80149704163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:01:56.768543959 CET49704801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:01:56.794044971 CET49704801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:01:56.913410902 CET80149704163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:01.359616041 CET80149704163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:01.359740973 CET49704801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:06.385776043 CET49704801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:06.387119055 CET49710801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:06.505266905 CET80149704163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:06.506396055 CET80149710163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:06.506663084 CET49710801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:06.507054090 CET49710801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:06.628830910 CET80149710163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:08.674681902 CET80149710163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:08.674963951 CET49710801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:13.746633053 CET49710801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:13.749110937 CET49722801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:13.866199017 CET80149710163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:13.868349075 CET80149722163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:13.868479013 CET49722801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:13.874156952 CET49722801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:13.993592978 CET80149722163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:16.031676054 CET80149722163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:16.031734943 CET49722801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:21.037703991 CET49722801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:21.038707018 CET49743801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:21.157094002 CET80149722163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:21.158072948 CET80149743163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:21.158164024 CET49743801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:21.158516884 CET49743801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:21.277734041 CET80149743163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:23.313282013 CET80149743163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:23.313380003 CET49743801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:28.319395065 CET49743801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:28.320260048 CET49759801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:28.438898087 CET80149743163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:28.439467907 CET80149759163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:28.439605951 CET49759801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:28.439987898 CET49759801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:28.559216976 CET80149759163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:50.324090958 CET80149759163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:50.324219942 CET49759801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:55.334537983 CET49759801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:55.335200071 CET49823801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:55.454955101 CET80149759163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:55.455359936 CET80149823163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:02:55.455492020 CET49823801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:55.455847025 CET49823801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:02:55.575494051 CET80149823163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:17.357032061 CET80149823163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:17.357124090 CET49823801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:22.366720915 CET49882801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:22.366751909 CET49823801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:22.486217022 CET80149882163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:22.486232996 CET80149823163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:22.486304998 CET49882801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:22.486833096 CET49882801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:22.606051922 CET80149882163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:44.403166056 CET80149882163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:44.403429985 CET49882801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:49.413068056 CET49882801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:49.414042950 CET49944801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:49.532423019 CET80149882163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:49.533272982 CET80149944163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:03:49.533473969 CET49944801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:49.534919977 CET49944801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:03:49.654274940 CET80149944163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:11.435029030 CET80149944163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:11.435189009 CET49944801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:16.444339037 CET49944801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:16.563797951 CET80149944163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:16.794219017 CET49983801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:16.913585901 CET80149983163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:16.914506912 CET49983801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:16.914508104 CET49983801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:17.033994913 CET80149983163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:38.810586929 CET80149983163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:38.810726881 CET49983801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:43.819427013 CET49983801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:43.821810961 CET49984801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:43.938879967 CET80149983163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:43.941077948 CET80149984163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:04:43.941169977 CET49984801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:43.941612005 CET49984801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:04:44.061028957 CET80149984163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:05.829670906 CET80149984163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:05.829749107 CET49984801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:10.835176945 CET49984801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:10.836831093 CET49985801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:10.954473972 CET80149984163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:10.956043959 CET80149985163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:10.956187010 CET49985801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:10.957251072 CET49985801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:11.076577902 CET80149985163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:32.845676899 CET80149985163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:32.845846891 CET49985801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:37.850939989 CET49985801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:37.851984024 CET49986801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:37.970220089 CET80149985163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:37.971303940 CET80149986163.172.125.253192.168.2.5
                                          Dec 9, 2024 07:05:37.971398115 CET49986801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:37.971919060 CET49986801192.168.2.5163.172.125.253
                                          Dec 9, 2024 07:05:38.091084003 CET80149986163.172.125.253192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 9, 2024 07:01:55.910706997 CET6208853192.168.2.51.1.1.1
                                          Dec 9, 2024 07:01:56.645966053 CET53620881.1.1.1192.168.2.5
                                          Dec 9, 2024 07:04:16.445319891 CET5779453192.168.2.51.1.1.1
                                          Dec 9, 2024 07:04:16.792985916 CET53577941.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 9, 2024 07:01:55.910706997 CET192.168.2.51.1.1.10xd8feStandard query (0)windows-cam.casacam.netA (IP address)IN (0x0001)false
                                          Dec 9, 2024 07:04:16.445319891 CET192.168.2.51.1.1.10xc28dStandard query (0)windows-cam.casacam.netA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 9, 2024 07:01:56.645966053 CET1.1.1.1192.168.2.50xd8feNo error (0)windows-cam.casacam.net163.172.125.253A (IP address)IN (0x0001)false
                                          Dec 9, 2024 07:04:16.792985916 CET1.1.1.1192.168.2.50xc28dNo error (0)windows-cam.casacam.net163.172.125.253A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:01:01:44
                                          Start date:09/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\801.ps1"
                                          Imagebase:0x7ff7be880000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2061671791.0000014A81000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2061671791.0000014A80232000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:01:01:44
                                          Start date:09/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:01:01:49
                                          Start date:09/12/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                          Imagebase:0x6f0000
                                          File size:56'368 bytes
                                          MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.4472305376.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:moderate
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:4%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:12
                                            Total number of Limit Nodes:0

                                            Executed Functions

                                            Function 00007FF848F641A8 Relevance: 1.2, Instructions: 1172COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 97 7ff848f641a8-7ff848f641e9 99 7ff848f641ef-7ff848f641f9 97->99 100 7ff848f6437a-7ff848f6442b 97->100 101 7ff848f641fb-7ff848f64210 99->101 102 7ff848f64212-7ff848f64217 99->102 151 7ff848f6442d 100->151 152 7ff848f64432-7ff848f64443 100->152 101->102 104 7ff848f6421d-7ff848f64220 102->104 105 7ff848f64317-7ff848f64321 102->105 110 7ff848f64269 104->110 111 7ff848f64222-7ff848f64235 104->111 108 7ff848f64323-7ff848f64331 105->108 109 7ff848f64332-7ff848f64377 105->109 109->100 113 7ff848f6426b-7ff848f6426d 110->113 111->100 123 7ff848f6423b-7ff848f64245 111->123 113->105 117 7ff848f64273-7ff848f64276 113->117 120 7ff848f6428d-7ff848f64291 117->120 121 7ff848f64278-7ff848f64281 117->121 120->105 130 7ff848f64297-7ff848f6429d 120->130 121->120 126 7ff848f6425e-7ff848f64267 123->126 127 7ff848f64247-7ff848f64254 123->127 126->113 127->126 134 7ff848f64256-7ff848f6425c 127->134 132 7ff848f6429f-7ff848f642ac 130->132 133 7ff848f642b9-7ff848f642bf 130->133 132->133 139 7ff848f642ae-7ff848f642b7 132->139 135 7ff848f642db-7ff848f642ee 133->135 136 7ff848f642c1-7ff848f642d9 133->136 134->126 146 7ff848f64307-7ff848f64316 135->146 147 7ff848f642f0-7ff848f64305 135->147 136->135 139->133 147->146 151->152 153 7ff848f6442f 151->153 154 7ff848f6444a-7ff848f64478 152->154 155 7ff848f64445 152->155 153->152 157 7ff848f644bd-7ff848f644c2 154->157 158 7ff848f6447a-7ff848f64480 154->158 155->154 156 7ff848f64447 155->156 156->154 159 7ff848f644c5-7ff848f644da 157->159 158->159 160 7ff848f64482-7ff848f644bc 158->160 162 7ff848f644e0-7ff848f644ea 159->162 163 7ff848f64603-7ff848f646b3 159->163 160->157 164 7ff848f644ec-7ff848f64501 162->164 165 7ff848f64503-7ff848f64508 162->165 201 7ff848f646ba-7ff848f646cb 163->201 202 7ff848f646b5 163->202 164->165 168 7ff848f6459c-7ff848f645a6 165->168 169 7ff848f6450e-7ff848f64511 165->169 170 7ff848f645a8-7ff848f645b6 168->170 171 7ff848f645b7-7ff848f64600 168->171 173 7ff848f64528-7ff848f6452c 169->173 174 7ff848f64513-7ff848f6451c 169->174 171->163 173->168 180 7ff848f6452e-7ff848f64531 173->180 174->173 180->168 182 7ff848f64533-7ff848f64536 180->182 182->168 185 7ff848f64538-7ff848f6453e 182->185 187 7ff848f6455d-7ff848f64573 185->187 188 7ff848f64540-7ff848f6455b 185->188 194 7ff848f6458c-7ff848f6459b 187->194 195 7ff848f64575-7ff848f64582 187->195 188->187 195->194 198 7ff848f64584-7ff848f6458a 195->198 198->194 204 7ff848f646cd 201->204 205 7ff848f646d2-7ff848f64846 201->205 202->201 203 7ff848f646b7 202->203 203->201 204->205 206 7ff848f646cf 204->206 210 7ff848f6484c-7ff848f6484f 205->210 211 7ff848f64904-7ff848f6490e 205->211 206->205 214 7ff848f64866-7ff848f6486a 210->214 215 7ff848f64851-7ff848f6485a 210->215 212 7ff848f64910-7ff848f64922 211->212 213 7ff848f64923-7ff848f64a2b 211->213 243 7ff848f64a2d-7ff848f64a35 213->243 244 7ff848f64a36-7ff848f64a47 213->244 214->211 220 7ff848f64870-7ff848f64876 214->220 215->214 222 7ff848f64878-7ff848f6488b 220->222 223 7ff848f64892-7ff848f648af 220->223 222->223 223->211 227 7ff848f648b1-7ff848f648b7 223->227 229 7ff848f648b9-7ff848f648d4 227->229 230 7ff848f648d6-7ff848f648ec 227->230 229->230 233 7ff848f648f2-7ff848f64903 230->233 243->244 245 7ff848f64a49-7ff848f64a51 244->245 246 7ff848f64a52-7ff848f64ad4 244->246 245->246 247 7ff848f64b1b-7ff848f64b25 246->247 248 7ff848f64ad6-7ff848f64b18 246->248 249 7ff848f64b27-7ff848f64b2f 247->249 250 7ff848f64b30-7ff848f64b7b 247->250 248->247
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 327d4e4b3991804c013686f61c310aaf1539a3d0a978883e077fd2f46996ca6b
                                            • Instruction ID: 781eb18692e076f4ff716d47fa358ca04fe13076524fa69377574f1f3f07c2da
                                            • Opcode Fuzzy Hash: 327d4e4b3991804c013686f61c310aaf1539a3d0a978883e077fd2f46996ca6b
                                            • Instruction Fuzzy Hash: 0D723631A0DB894FE79ABB2858152B57BE1EF66260F0902FFD04DD71D3DE18AC068395
                                            Function 00007FF848E9B5AD Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2082744852.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID: _
                                            • API String ID: 963392458-701932520
                                            • Opcode ID: bbd87411c0293d594ba9a523de8e6b424e2bf61b02db0cb55610df25c1646405
                                            • Instruction ID: 1ea5e5a1183b0943f95050ead8ed9b7161b18a97e8f79537c37461775f946a12
                                            • Opcode Fuzzy Hash: bbd87411c0293d594ba9a523de8e6b424e2bf61b02db0cb55610df25c1646405
                                            • Instruction Fuzzy Hash: 0E025F70918A8D8FEBB8EF18C8597E977E1FF59341F00412AD80EDB291DB74A640CB85
                                            Function 00007FF848E9B08D Relevance: 1.7, APIs: 1, Instructions: 218injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2082744852.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: a1262d38a7dce01508a792dba935fcdbd6d9c9c70fe2417b3e94423e153358c4
                                            • Instruction ID: f4a185b220fc2d752fc9c495d8b1155727d22c810b87d9f85f1422b9e597bf59
                                            • Opcode Fuzzy Hash: a1262d38a7dce01508a792dba935fcdbd6d9c9c70fe2417b3e94423e153358c4
                                            • Instruction Fuzzy Hash: C0612A70908A5D8FDB98DF68C885BE9BBF1FB69310F1041AAD44CE3251DB74A985CB44
                                            Function 00007FF848E9AD35 Relevance: 1.7, APIs: 1, Instructions: 179threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2082744852.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 28fc38c4b69cf4653226fbd3bfc249387b16ce3ce8ab567ded55cc7c86748f43
                                            • Instruction ID: 9a039accc4a5c69ff12fcf520d7b36a249301419d418136ca234e5ec1d4e3bd8
                                            • Opcode Fuzzy Hash: 28fc38c4b69cf4653226fbd3bfc249387b16ce3ce8ab567ded55cc7c86748f43
                                            • Instruction Fuzzy Hash: E3513970908A4D8FEB58EF98C849BEDBBF1FB59311F10826AD448E7255DB74A485CB40
                                            Function 00007FF848E9ABDD Relevance: 1.7, APIs: 1, Instructions: 155threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2082744852.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848e90000_powershell.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 681b0663f66311886c7fa96a9f73f608200ea36622c9ec56ba089b0e1c5c13a6
                                            • Instruction ID: 4e05e1b864e97a777334279eff096b12da0af14f79e6279897fcfafd3a0c4248
                                            • Opcode Fuzzy Hash: 681b0663f66311886c7fa96a9f73f608200ea36622c9ec56ba089b0e1c5c13a6
                                            • Instruction Fuzzy Hash: 08518B30D0C78C8FDB59EFA8C845AE9BBB0FF56310F1441AAD449E7292DB74A485CB51
                                            Function 00007FF848F63C40 Relevance: .3, Instructions: 285COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 258 7ff848f63c40-7ff848f63c87 261 7ff848f63c8d-7ff848f63c97 258->261 262 7ff848f63ddf-7ff848f63e91 258->262 263 7ff848f63c99-7ff848f63cb1 261->263 264 7ff848f63cb3-7ff848f63cc0 261->264 302 7ff848f63e94-7ff848f63ea5 262->302 303 7ff848f63e93 262->303 263->264 269 7ff848f63cc6-7ff848f63cc9 264->269 270 7ff848f63d80-7ff848f63d8a 264->270 269->270 273 7ff848f63ccf-7ff848f63cd7 269->273 277 7ff848f63d8c-7ff848f63d98 270->277 278 7ff848f63d99-7ff848f63ddc 270->278 273->262 276 7ff848f63cdd-7ff848f63ce7 273->276 280 7ff848f63ce9-7ff848f63cfe 276->280 281 7ff848f63d00-7ff848f63d04 276->281 280->281 281->270 285 7ff848f63d06-7ff848f63d09 281->285 286 7ff848f63d0b-7ff848f63d2e 285->286 287 7ff848f63d30 285->287 290 7ff848f63d32-7ff848f63d34 286->290 287->290 290->270 293 7ff848f63d36-7ff848f63d59 290->293 297 7ff848f63d5b-7ff848f63d68 293->297 298 7ff848f63d72-7ff848f63d7f 293->298 297->298 301 7ff848f63d6a-7ff848f63d70 297->301 301->298 304 7ff848f63ea8-7ff848f64027 302->304 305 7ff848f63ea7 302->305 303->302 305->304
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b95c5d1d056c6d11d07610b3cbe64a7dfea0ec6bfa9cbe7af47d8b367da932ac
                                            • Instruction ID: 7c220376d170f351b8fc43372ff8acac4c14c2b7195b57b4bf39d7b66134e91d
                                            • Opcode Fuzzy Hash: b95c5d1d056c6d11d07610b3cbe64a7dfea0ec6bfa9cbe7af47d8b367da932ac
                                            • Instruction Fuzzy Hash: 29812432E0DA8D4FE795AB2C54582B5BBE1EF552A0F0802BBD04DD71D3DE189C078355
                                            Function 00007FF848F60833 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 309 7ff848f60833-7ff848f60988 312 7ff848f609d9-7ff848f609e3 309->312 313 7ff848f6098a-7ff848f6098d 309->313 315 7ff848f609e5-7ff848f609f3 312->315 316 7ff848f609f4-7ff848f60a3d 312->316 313->312 314 7ff848f6098f-7ff848f60992 313->314 314->312 317 7ff848f60994-7ff848f60997 314->317 317->312 319 7ff848f60999-7ff848f609a0 317->319 321 7ff848f609a7-7ff848f609b0 319->321 323 7ff848f609c9-7ff848f609d8 321->323 324 7ff848f609b2-7ff848f609bf 321->324 324->323 327 7ff848f609c1-7ff848f609c7 324->327 327->323
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1eb4c1f77992592ebcf74549ed81b9ea468537dbaa2f628d1a32b1d9dfd30485
                                            • Instruction ID: 5b56b1934747a6f4fe661ec5602e88e2fe73ec5b50106da87271b31347e2605a
                                            • Opcode Fuzzy Hash: 1eb4c1f77992592ebcf74549ed81b9ea468537dbaa2f628d1a32b1d9dfd30485
                                            • Instruction Fuzzy Hash: FF21B432F1DE198EF7A5B71CA4152B973E2EB84661F54137BC90AE32C6DF14E81642C4
                                            Function 00007FF848F6485E Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f245bfe802b9a00285deed3dfd1c63005f23f18a835932b91003513119b35fdb
                                            • Instruction ID: 6b0d3eb039cb45ba2159e2cf808981d6b777baa2697a7e7f3caa649bb6461ea4
                                            • Opcode Fuzzy Hash: f245bfe802b9a00285deed3dfd1c63005f23f18a835932b91003513119b35fdb
                                            • Instruction Fuzzy Hash: 5A112131B1EA494FEB9CAB2C54011B9B7E2EFA5261F0412BED04FD35A2DF1898028308
                                            Function 00007FF848F64719 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 230c87475613288505f3836408af62b6b5e57971f0b6a2eccc19bd3e9895f697
                                            • Instruction ID: 88f99f38ff5a9743cbd46f3e6259670c69e717d37b0710969b13f4e6baf01426
                                            • Opcode Fuzzy Hash: 230c87475613288505f3836408af62b6b5e57971f0b6a2eccc19bd3e9895f697
                                            • Instruction Fuzzy Hash: 5911EE31B1DA494FEB98AB2C54011B9B7E2EFA9261F4412BED04FD35A2DF1898038208
                                            Function 00007FF848F60954 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 436 7ff848f60954-7ff848f6096a 437 7ff848f6096c-7ff848f60981 436->437 438 7ff848f60983-7ff848f60988 436->438 437->438 440 7ff848f609d9-7ff848f609e3 438->440 441 7ff848f6098a-7ff848f6098d 438->441 443 7ff848f609e5-7ff848f609f3 440->443 444 7ff848f609f4-7ff848f60a3d 440->444 441->440 442 7ff848f6098f-7ff848f60992 441->442 442->440 446 7ff848f60994-7ff848f60997 442->446 446->440 448 7ff848f60999-7ff848f609a0 446->448 450 7ff848f609a7-7ff848f609b0 448->450 452 7ff848f609c9-7ff848f609d8 450->452 453 7ff848f609b2-7ff848f609bf 450->453 453->452 456 7ff848f609c1-7ff848f609c7 453->456 456->452
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c2202d317922f90a49790f3238539ae96afff18ba177d6794a96e3b869c4481
                                            • Instruction ID: 8125f9fff3b3224b127d916f1338c78887da4bbf4da674d55c7bde02dbccafe9
                                            • Opcode Fuzzy Hash: 7c2202d317922f90a49790f3238539ae96afff18ba177d6794a96e3b869c4481
                                            • Instruction Fuzzy Hash: 37110A22E1EE6A5EF395B728541427566E2DFC1690F5813BAC80DF72CBDE0498074285

                                            Non-executed Functions

                                            Function 00007FF848F63178 Relevance: .4, Instructions: 388COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2083084901.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff848f60000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20b76086954f303c2401b86ca854967f10ccd82fa3c2c3a5c809d0e6c0bdc9fe
                                            • Instruction ID: b3e04a879b4f1203300a55a56413fd358a5f51979545f7fb84cb9a24f61ddd5c
                                            • Opcode Fuzzy Hash: 20b76086954f303c2401b86ca854967f10ccd82fa3c2c3a5c809d0e6c0bdc9fe
                                            • Instruction Fuzzy Hash: 5FC1C031A0DBC55FE3869B2C58551A07FE1EF53260F0912FBC489CB0E3DA19A84BC366

                                            Execution Graph

                                            Execution Coverage:8.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:60
                                            Total number of Limit Nodes:6
                                            execution_graph 14414 27f7f68 14415 27f7fae GetCurrentProcess 14414->14415 14417 27f7ff9 14415->14417 14418 27f8000 GetCurrentThread 14415->14418 14417->14418 14419 27f803d GetCurrentProcess 14418->14419 14420 27f8036 14418->14420 14421 27f8073 14419->14421 14420->14419 14426 27f8148 14421->14426 14429 27f8138 14421->14429 14422 27f809b GetCurrentThreadId 14423 27f80cc 14422->14423 14434 27f7cdc 14426->14434 14430 27f8112 14429->14430 14431 27f8142 14429->14431 14430->14422 14432 27f7cdc DuplicateHandle 14431->14432 14433 27f8176 14432->14433 14433->14422 14435 27f81b0 DuplicateHandle 14434->14435 14436 27f8176 14435->14436 14436->14422 14437 27f2b30 14438 27f2b3f 14437->14438 14439 27f2b4a 14438->14439 14442 27f6e60 14438->14442 14446 27f6e50 14438->14446 14443 27f6e6f 14442->14443 14450 27f6634 14443->14450 14447 27f6e6f 14446->14447 14448 27f6634 KiUserCallbackDispatcher 14447->14448 14449 27f6e90 14448->14449 14449->14439 14451 27f663f 14450->14451 14454 27f7dc4 14451->14454 14453 27f8816 14453->14453 14455 27f7dcf 14454->14455 14456 27f910d 14455->14456 14458 27fabc0 14455->14458 14456->14453 14460 27fabe1 14458->14460 14459 27fac05 14459->14456 14460->14459 14462 27fad70 14460->14462 14463 27fad7d 14462->14463 14465 27fadb6 14463->14465 14466 27f8fe4 14463->14466 14465->14459 14467 27f8fef 14466->14467 14469 27fae28 14467->14469 14470 27f9018 14467->14470 14469->14469 14471 27f9023 14470->14471 14474 27f9028 14471->14474 14473 27fae97 14473->14469 14475 27f9033 14474->14475 14480 27fbe4c 14475->14480 14477 27fc418 14477->14473 14478 27fabc0 KiUserCallbackDispatcher 14478->14477 14479 27fc1f0 14479->14477 14479->14478 14481 27fbe57 14480->14481 14482 27fd5fa 14481->14482 14484 27fd648 14481->14484 14482->14479 14485 27fd69b 14484->14485 14486 27fd6a6 KiUserCallbackDispatcher 14485->14486 14487 27fd6d0 14485->14487 14486->14487 14487->14482 14488 27f2cb0 14489 27f2cf4 SetWindowsHookExW 14488->14489 14491 27f2d3a 14489->14491

                                            Executed Functions

                                            Function 027F7F62 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 331 27f7f62-27f7ff7 GetCurrentProcess 336 27f7ff9-27f7fff 331->336 337 27f8000-27f8034 GetCurrentThread 331->337 336->337 338 27f803d-27f8071 GetCurrentProcess 337->338 339 27f8036-27f803c 337->339 341 27f807a-27f8092 338->341 342 27f8073-27f8079 338->342 339->338 353 27f8095 call 27f8148 341->353 354 27f8095 call 27f8138 341->354 342->341 344 27f809b-27f80ca GetCurrentThreadId 346 27f80cc-27f80d2 344->346 347 27f80d3-27f8135 344->347 346->347 353->344 354->344
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 027F7FE6
                                            • GetCurrentThread.KERNEL32 ref: 027F8023
                                            • GetCurrentProcess.KERNEL32 ref: 027F8060
                                            • GetCurrentThreadId.KERNEL32 ref: 027F80B9
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 3722ffeee963804a9323d7c797e46155c2722c716eb17fdfbae4817c81de4dcc
                                            • Instruction ID: e75cbe5030392968f26c70989a7b288b45ad19ee32e2c45f1713a098d0e9965b
                                            • Opcode Fuzzy Hash: 3722ffeee963804a9323d7c797e46155c2722c716eb17fdfbae4817c81de4dcc
                                            • Instruction Fuzzy Hash: 535188B4901309CFDB54DFAAD548BAEBBF5EF88314F208459E109A7360D7745848CF66
                                            Function 027F7F68 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 355 27f7f68-27f7ff7 GetCurrentProcess 359 27f7ff9-27f7fff 355->359 360 27f8000-27f8034 GetCurrentThread 355->360 359->360 361 27f803d-27f8071 GetCurrentProcess 360->361 362 27f8036-27f803c 360->362 364 27f807a-27f8092 361->364 365 27f8073-27f8079 361->365 362->361 376 27f8095 call 27f8148 364->376 377 27f8095 call 27f8138 364->377 365->364 367 27f809b-27f80ca GetCurrentThreadId 369 27f80cc-27f80d2 367->369 370 27f80d3-27f8135 367->370 369->370 376->367 377->367
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 027F7FE6
                                            • GetCurrentThread.KERNEL32 ref: 027F8023
                                            • GetCurrentProcess.KERNEL32 ref: 027F8060
                                            • GetCurrentThreadId.KERNEL32 ref: 027F80B9
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 15173fa48989889bae7b13b568a772b2292e2dfb24b31e6ee57b2388b28657bd
                                            • Instruction ID: f2b3cde55ace6b8db92fa076d5b4cbbcebff4015c0c519bed12d712ed1851542
                                            • Opcode Fuzzy Hash: 15173fa48989889bae7b13b568a772b2292e2dfb24b31e6ee57b2388b28657bd
                                            • Instruction Fuzzy Hash: 465187B4901309CFDB54DFAAD548BAEBBF5EF88300F208459E109A73A0D7745888CF66
                                            Function 027F81A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 514 27f81a8-27f81ae 515 27f81b0-27f8244 DuplicateHandle 514->515 516 27f824d-27f826a 515->516 517 27f8246-27f824c 515->517 517->516
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027F8176,?,?,?,?,?), ref: 027F8237
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 061b5e13344613f204e6254325f2380d7027300bf50391896360d9c48e334cd4
                                            • Instruction ID: 11df2d6de2ca35a612fce6de1c68dc68e412cf8195029f30c2e524321665d5cf
                                            • Opcode Fuzzy Hash: 061b5e13344613f204e6254325f2380d7027300bf50391896360d9c48e334cd4
                                            • Instruction Fuzzy Hash: 802103B5D002489FDB10CF9AD584ADEFBF9FB48310F14805AE918A7310D378A940CFA5
                                            Function 027F7CDC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 508 27f7cdc-27f8244 DuplicateHandle 510 27f824d-27f826a 508->510 511 27f8246-27f824c 508->511 511->510
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027F8176,?,?,?,?,?), ref: 027F8237
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 8b8b279d084502d2d277ce3014880b9fe99cefbcc78a95a41f3e558bbaa14316
                                            • Instruction ID: 37a41638355590050d353906b8aa5de2500cf7222abdef433ffb479c8a43b4c7
                                            • Opcode Fuzzy Hash: 8b8b279d084502d2d277ce3014880b9fe99cefbcc78a95a41f3e558bbaa14316
                                            • Instruction Fuzzy Hash: 3A21E4B5904248DFDB50CFAAD584AEEFBF9FB48310F14801AE918A7310D378A940CFA5
                                            Function 027F2CA8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 520 27f2ca8-27f2cfa 522 27f2cfc 520->522 523 27f2d06-27f2d38 SetWindowsHookExW 520->523 526 27f2d04 522->526 524 27f2d3a-27f2d40 523->524 525 27f2d41-27f2d66 523->525 524->525 526->523
                                            APIs
                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 027F2D2B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 313643b65eaa39fe46ebac00d1ee6f355c43dec5485418d4225a0f0893c38f9f
                                            • Instruction ID: 5aa00a21e3d3be2c6a5710054b3a886a4492358318bad58327b8bda0307832c1
                                            • Opcode Fuzzy Hash: 313643b65eaa39fe46ebac00d1ee6f355c43dec5485418d4225a0f0893c38f9f
                                            • Instruction Fuzzy Hash: 762115B5D042098FCB14DFAAD944BEEFBF5BF88310F14842AD519A7260C778A944CFA1
                                            Function 027F2CB0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 530 27f2cb0-27f2cfa 532 27f2cfc 530->532 533 27f2d06-27f2d38 SetWindowsHookExW 530->533 536 27f2d04 532->536 534 27f2d3a-27f2d40 533->534 535 27f2d41-27f2d66 533->535 534->535 536->533
                                            APIs
                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 027F2D2B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: 03e43170e8450646a7af2be920f5f3a31fb0f3d0e4eb834ed802eaeb4470d13f
                                            • Instruction ID: db56aa3813a197b6edd9988fdcf2c942a8a904e73b39c7f7e2012ccd6cf28936
                                            • Opcode Fuzzy Hash: 03e43170e8450646a7af2be920f5f3a31fb0f3d0e4eb834ed802eaeb4470d13f
                                            • Instruction Fuzzy Hash: 092104B19042098FCB14DF9AD944AEEBBF5AB88310F14842AD519A7260C774A944CFA0
                                            Function 027FD648 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 540 27fd648-27fd6a4 542 27fd6a6-27fd6ce KiUserCallbackDispatcher 540->542 543 27fd6f2-27fd70b 540->543 544 27fd6d7-27fd6eb 542->544 545 27fd6d0-27fd6d6 542->545 544->543 545->544
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 027FD6BD
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473961553.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27f0000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: 4e771b2c185aa15af585d7da6d02b17227c5d6479399477ea432ef21d959e034
                                            • Instruction ID: ca640edbdaed7bee1b5e1be1114303b10e2847baf7fc8b5523a92cd57b8bcb8e
                                            • Opcode Fuzzy Hash: 4e771b2c185aa15af585d7da6d02b17227c5d6479399477ea432ef21d959e034
                                            • Instruction Fuzzy Hash: 8111DC72805388CFDB50DF99D50A7EEBFF4EB05354F14805AE548A3241C779A644CBA5
                                            Function 027AD0FC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473779331.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27ad000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79fb810342dc04ce0dfe741b914f5b726259f54fd3e3224fa3d13219a3395472
                                            • Instruction ID: bbbd9cb2d6b2c3a59d45e93fcace57de5fbb5b4c0f3eaf007bf44afd1d56ee99
                                            • Opcode Fuzzy Hash: 79fb810342dc04ce0dfe741b914f5b726259f54fd3e3224fa3d13219a3395472
                                            • Instruction Fuzzy Hash: 502104B1504204DFDB25DF24D9D4B26BFA5FBCC324F20CA6DE9094B656C33AD846CA61
                                            Function 027AD0F7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4473779331.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_27ad000_aspnet_compiler.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: d803a856c2387ce61afed5e4d5af8abef072dcf34f642535534104bfc34a2986
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 0711DD75504280CFDB16CF10D9D4B15BFB2FB88328F24CAA9D8494B656C33AD44ACB62