Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.ps1

Overview

General Information

Sample name:x.ps1
Analysis ID:1571246
MD5:e9bf208781b60d91292c6177677e27f8
SHA1:364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256:66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
Tags:ps1user-lontze7
Infos:

Detection

PureLog Stealer, Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected Quasar RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 7980 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 7996 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1E47.tmp" "c:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • aspnet_compiler.exe (PID: 8016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1540504472.000001C4EF260000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1431503065.000001C482B2A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmpRAT_ImminentDetects Imminent RATKevin Breen <kevin@techanarchy.net>
          • 0x81e21:$v2a: <URL>k__BackingField
          • 0x81d5b:$v2b: <RunHidden>k__BackingField
          • 0x81ff1:$v2c: DownloadAndExecute
          • 0x8a9c9:$v2d: -CHECK & PING -n 2 127.0.0.1 & EXIT
          • 0x8e058:$v2e: england.png
          • 0x8d32e:$v2f: Showed Messagebox
          Click to see the 29 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.powershell.exe.1c482d465e8.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.powershell.exe.1c482bb0850.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.powershell.exe.1c4ef260000.11.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.powershell.exe.1c4ef260000.11.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.powershell.exe.1c482bb0850.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Click to see the 91 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: AspNetCompiler Execution
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7752, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 8016, ProcessName: aspnet_compiler.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ProcessId: 7752, ProcessName: powershell.exe
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7752, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline", ProcessId: 7980, ProcessName: csc.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7752, TargetFilename: C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ProcessId: 7752, ProcessName: powershell.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7752, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline", ProcessId: 7980, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-09T07:26:12.716126+010028140301A Network Trojan was detected192.168.2.9497383.33.130.190443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\tmp4906.tmpAvira: detection malicious, Label: TR/Agent.ebgqa
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\tmp4906.tmpReversingLabs: Detection: 71%
                    Multi AV Scanner detection for submitted file
                    Source: x.ps1ReversingLabs: Detection: 18%
                    Source: x.ps1Virustotal: Detection: 36%Perma Link
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 8016, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49732 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 3.33.130.190:443 -> 192.168.2.9:49738 version: TLS 1.0
                    Source: Binary string: 3losh.pdb source: powershell.exe, 00000000.00000002.1431503065.000001C482BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1431503065.000001C482B2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1540504472.000001C4EF260000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1431503065.000001C482D45000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: .pdbeB~oh source: powershell.exe, 00000000.00000002.1539405797.000001C4EF0F1000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\3losh\Desktop\bashar\ConsoleApplication4\x64\Release\Dll1.pdb source: powershell.exe, 00000000.00000002.1548065226.00007FF8F8D83000.00000002.00000001.01000000.00000009.sdmp, powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmp, tmp4906.tmp.0.dr
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2814030 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check 2 : 192.168.2.9:49738 -> 3.33.130.190:443
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.9:49744 -> 178.63.102.185:6060
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: freegeoip.net
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49732 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 3.33.130.190:443 -> 192.168.2.9:49738 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: freegeoip.net
                    Source: global trafficDNS traffic detected: DNS query: booksports64.linkpc.net
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C480001000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/q/11564914;
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/q/14436606/
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://stackoverflow.com/q/2152978/23354sCannot
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: aspnet_compiler.exe, 00000005.00000002.2614537206.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: aspnet_compiler.exe, 00000005.00000002.2614537206.0000000002FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.net
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000002FAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.net/xml/
                    Source: powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

                    E-Banking Fraud

                    barindex
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 8016, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Imminent RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4906.tmpJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887C3AE5B0_2_00007FF887C3AE5B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_0158A2505_2_0158A250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_015899805_2_01589980
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_0158FA105_2_0158FA10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_015896385_2_01589638
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_069E12785_2_069E1278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_069EDFE85_2_069EDFE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_069EDFE25_2_069EDFE2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_069EBB205_2_069EBB20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_06B394275_2_06B39427
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_06B346A85_2_06B346A8
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\tmp4906.tmp 7C0E07E3947E1C61818F8DE92CB4CC4F27481507D32C01C1287750F5FF3B6620
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_Jan18_1 date = 2018-01-29, hash2 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash1 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, author = Florian Roth, description = Detects Quasar RAT, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_Jan18_1 date = 2018-01-29, hash2 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash1 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, author = Florian Roth, description = Detects Quasar RAT, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_Jan18_1 date = 2018-01-29, hash2 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash1 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, author = Florian Roth, description = Detects Quasar RAT, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_Jan18_1 date = 2018-01-29, hash2 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash1 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, author = Florian Roth, description = Detects Quasar RAT, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_Jan18_1 date = 2018-01-29, hash2 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash1 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, author = Florian Roth, description = Detects Quasar RAT, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_Jan18_1 date = 2018-01-29, hash2 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash1 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, author = Florian Roth, description = Detects Quasar RAT, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_Imminent date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects Imminent RAT, reference = http://malwareconfig.com/stats/Imminent
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_xRAT date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects xRAT, reference = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: xRAT date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/xRat
                    Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Imminent date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/Imminent
                    Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482bd66e8.2.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482bd66e8.2.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c4ef260000.11.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c4ef260000.11.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482d465e8.1.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482d465e8.1.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482bc8ff8.5.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c482bc8ff8.5.raw.unpack, z2jc63fLkugS1X8Q9N.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, ---------.csBase64 encoded string: 'mw2c1KzRBXJPa7CyN45q0oo34epaKRviFqQVhrWKFghCXHHeZZWwe0rYxi9Q4wNT', 'OKWyprUQsoJzKe9+zfsthegwRPL4O/y11urGglXZpUM6G/tBWzOyz8M7c6234bIH', 'NpnEbgDHG6ZU3tQ8U+OQSL+zZBtN3RSFW5ZhdFAULwgcn4/nNJV7vJZrRGiGEru9UySPJXcUNXBjNWpzMG3ZJg==', 'lWpuebZKZD/SjGLrkyC7o0xkpxKEDToPZ8myuah/cxf0gf3M4xBURn/nOjJj//Li'
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, ---------.csBase64 encoded string: 'mw2c1KzRBXJPa7CyN45q0oo34epaKRviFqQVhrWKFghCXHHeZZWwe0rYxi9Q4wNT', 'OKWyprUQsoJzKe9+zfsthegwRPL4O/y11urGglXZpUM6G/tBWzOyz8M7c6234bIH', 'NpnEbgDHG6ZU3tQ8U+OQSL+zZBtN3RSFW5ZhdFAULwgcn4/nNJV7vJZrRGiGEru9UySPJXcUNXBjNWpzMG3ZJg==', 'lWpuebZKZD/SjGLrkyC7o0xkpxKEDToPZ8myuah/cxf0gf3M4xBURn/nOjJj//Li'
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, ---------.csBase64 encoded string: 'mw2c1KzRBXJPa7CyN45q0oo34epaKRviFqQVhrWKFghCXHHeZZWwe0rYxi9Q4wNT', 'OKWyprUQsoJzKe9+zfsthegwRPL4O/y11urGglXZpUM6G/tBWzOyz8M7c6234bIH', 'NpnEbgDHG6ZU3tQ8U+OQSL+zZBtN3RSFW5ZhdFAULwgcn4/nNJV7vJZrRGiGEru9UySPJXcUNXBjNWpzMG3ZJg==', 'lWpuebZKZD/SjGLrkyC7o0xkpxKEDToPZ8myuah/cxf0gf3M4xBURn/nOjJj//Li'
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, SystemCore.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, SystemCore.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, SystemCore.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, SystemCore.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, SystemCore.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, SystemCore.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.expl.evad.winPS1@8/14@3/3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\KbyKnP2wA25jG0ZM4nvKwd6gPxsoeanC
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_znrjrnhy.41v.ps1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: x.ps1ReversingLabs: Detection: 18%
                    Source: x.ps1Virustotal: Detection: 36%
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1E47.tmp" "c:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1E47.tmp" "c:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: 3losh.pdb source: powershell.exe, 00000000.00000002.1431503065.000001C482BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1431503065.000001C482B2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1540504472.000001C4EF260000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.1431503065.000001C482D45000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: .pdbeB~oh source: powershell.exe, 00000000.00000002.1539405797.000001C4EF0F1000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\3losh\Desktop\bashar\ConsoleApplication4\x64\Release\Dll1.pdb source: powershell.exe, 00000000.00000002.1548065226.00007FF8F8D83000.00000002.00000001.01000000.00000009.sdmp, powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmp, tmp4906.tmp.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),TKYn1Jl7U1AZYsGBGoW(typeof(Type).TypeHandle)})
                    Source: 0.2.powershell.exe.1c482bd66e8.2.raw.unpack, z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),TKYn1Jl7U1AZYsGBGoW(typeof(Type).TypeHandle)})
                    Source: 0.2.powershell.exe.1c4ef260000.11.raw.unpack, z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),TKYn1Jl7U1AZYsGBGoW(typeof(Type).TypeHandle)})
                    Source: 0.2.powershell.exe.1c482d465e8.1.raw.unpack, z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),TKYn1Jl7U1AZYsGBGoW(typeof(Type).TypeHandle)})
                    Source: 0.2.powershell.exe.1c482bc8ff8.5.raw.unpack, z2jc63fLkugS1X8Q9N.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),TKYn1Jl7U1AZYsGBGoW(typeof(Type).TypeHandle)})
                    .NET source code contains potential unpacker
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D81000 LoadLibraryW,GetProcAddress,GetProcAddress,0_2_00007FF8F8D81000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887C300BD pushad ; iretd 0_2_00007FF887C300C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887C37385 push ecx; iretd 0_2_00007FF887C373AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887C37957 push ebx; retf 0_2_00007FF887C3796A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887D00E4C pushad ; ret 0_2_00007FF887D00E4D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_015870EA pushad ; ret 5_2_015870B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_015870B8 pushad ; ret 5_2_015870B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_069ECE6A push eax; ret 5_2_069ECE71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_06B323A0 push es; ret 5_2_06B323B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_06B36171 push ebx; iretd 5_2_06B36172
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: 'CQ8sMGlS9ZP81fRJBOK', 'ujHLfAlXgTr4GB7wUcc', 'u4iI94Dy8g', 'uSbcHCl8RhDw8dTLW96', 'ul4pKHlCwMERAhK7T3U', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj'
                    Source: 0.2.powershell.exe.1c482bd66e8.2.raw.unpack, z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: 'CQ8sMGlS9ZP81fRJBOK', 'ujHLfAlXgTr4GB7wUcc', 'u4iI94Dy8g', 'uSbcHCl8RhDw8dTLW96', 'ul4pKHlCwMERAhK7T3U', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj'
                    Source: 0.2.powershell.exe.1c4ef260000.11.raw.unpack, z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: 'CQ8sMGlS9ZP81fRJBOK', 'ujHLfAlXgTr4GB7wUcc', 'u4iI94Dy8g', 'uSbcHCl8RhDw8dTLW96', 'ul4pKHlCwMERAhK7T3U', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj'
                    Source: 0.2.powershell.exe.1c482d465e8.1.raw.unpack, z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: 'CQ8sMGlS9ZP81fRJBOK', 'ujHLfAlXgTr4GB7wUcc', 'u4iI94Dy8g', 'uSbcHCl8RhDw8dTLW96', 'ul4pKHlCwMERAhK7T3U', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj'
                    Source: 0.2.powershell.exe.1c482bc8ff8.5.raw.unpack, z2jc63fLkugS1X8Q9N.csHigh entropy of concatenated method names: 'CQ8sMGlS9ZP81fRJBOK', 'ujHLfAlXgTr4GB7wUcc', 'u4iI94Dy8g', 'uSbcHCl8RhDw8dTLW96', 'ul4pKHlCwMERAhK7T3U', 'm9OIO8Q0EK', 'z47It19xek', 'NQ1IZyT0jI', 'wgZIumIPsF', 'V26I7M2UXj'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4906.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.dllJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6673Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3156Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp4906.tmpJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAPI coverage: 8.9 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 8120Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7040Thread sleep count: 343 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                    Source: aspnet_compiler.exe, 00000005.00000002.2610859046.00000000010BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 5_2_0158D458 LdrInitializeThunk,5_2_0158D458
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D81F7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF8F8D81F7C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D81000 LoadLibraryW,GetProcAddress,GetProcAddress,0_2_00007FF8F8D81000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D812E0 GetProcessHeaps,free,malloc,GetProcessHeaps,HeapWalk,HeapWalk,free,0_2_00007FF8F8D812E0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D819D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF8F8D819D0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D81F7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF8F8D81F7C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, b.csReference to suspicious API methods: wI4N1D7eY7o9jgNKjj.UAAciFisg(GetProcAddress(LoadLibraryA(ref name), ref method), bEQnTr2AAImOnegw3L.UAAciFisg(typeof(CreateApi).TypeHandle, bEQnTr2AAImOnegw3L.jh45QeyDw), wI4N1D7eY7o9jgNKjj.YrAKsKWDc)
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, b.csReference to suspicious API methods: wI4N1D7eY7o9jgNKjj.UAAciFisg(GetProcAddress(LoadLibraryA(ref name), ref method), bEQnTr2AAImOnegw3L.UAAciFisg(typeof(CreateApi).TypeHandle, bEQnTr2AAImOnegw3L.jh45QeyDw), wI4N1D7eY7o9jgNKjj.YrAKsKWDc)
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, b.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num5 + 8, ref buffer, 4, ref bytesWritten)
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, b.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num4, length, 12288, 64)
                    Source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, b.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num9, payload, bufferSize, ref bytesWritten)
                    Source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, KeyboardNativeMethods.csReference to suspicious API methods: MapVirtualKeyEx(virtualKeyCode, 0, activeKeyboard)
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 44C000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 44E000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: D65008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1E47.tmp" "c:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8F8D81B4C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF8F8D81B4C
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482d465e8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bb0850.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4ef260000.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4ef260000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482d465e8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bd66e8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bc8ff8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bd66e8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bc8ff8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1540504472.000001C4EF260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1431503065.000001C482B2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1431503065.000001C482D45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1431503065.000001C482BC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 8016, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482d465e8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bb0850.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4ef260000.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4ef260000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bb0850.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482d465e8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bd66e8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bc8ff8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bd66e8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c482bc8ff8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1540504472.000001C4EF260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1431503065.000001C482B2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1431503065.000001C482D45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1431503065.000001C482BC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491160b70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491138b38.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c491c25368.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.powershell.exe.1c4911b0ba8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 8016, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Native API                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Disable or Modify Tools                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		LSASS Memory121
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                    Process Injection                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync2
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    x.ps118%ReversingLabsWin32.Trojan.Generic
                    x.ps136%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\tmp4906.tmp100%AviraTR/Agent.ebgqa
                    C:\Users\user\AppData\Local\Temp\tmp4906.tmp71%ReversingLabsWin64.Trojan.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high
                      s-part-0035.t-0009.t-msedge.net
                      		13.107.246.63
                      		truefalse
                        		high
                        booksports64.linkpc.net
                        		178.63.102.185
                        		truefalse
                          		unknown
                          freegeoip.net
                          		3.33.130.190
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                              		high
                              https://freegeoip.net/xml/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ipify.orgaspnet_compiler.exe, 00000005.00000002.2614537206.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://freegeoip.netaspnet_compiler.exe, 00000005.00000002.2614537206.0000000002FAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://stackoverflow.com/q/2152978/23354sCannotpowershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/Licensepowershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Iconpowershell.exe, 00000000.00000002.1483625168.000001C490A4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://stackoverflow.com/q/11564914;powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.1431503065.000001C480001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1431503065.000001C480001000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1431503065.000001C482029000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://stackoverflow.com/q/14436606/powershell.exe, 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.26.12.205
                                                                    		api.ipify.orgUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    178.63.102.185
                                                                    		booksports64.linkpc.netGermany
                                                                    		24940HETZNER-ASDEfalse
                                                                    3.33.130.190
                                                                    		freegeoip.netUnited States
                                                                    		8987AMAZONEXPANSIONGBfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1571246
                                                                    Start date and time:2024-12-09 07:25:04 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 6m 46s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:10
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:x.ps1
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.expl.evad.winPS1@8/14@3/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 99%
                                                                    • Number of executed functions: 25
                                                                    • Number of non-executed functions: 4
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .ps1

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    01:26:02API Interceptor25x Sleep call for process: powershell.exe modified
                                                                    01:26:15API Interceptor34x Sleep call for process: aspnet_compiler.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    104.26.12.205xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                                                    • api.ipify.org/
                                                                    GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                    • api.ipify.org/
                                                                    8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                                                    • api.ipify.org/
                                                                    Simple2.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                                    • api.ipify.org/
                                                                    Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                    • api.ipify.org/
                                                                    6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                    • api.ipify.org/
                                                                    perfcc.elfGet hashmaliciousXmrigBrowse
                                                                    • api.ipify.org/
                                                                    SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                    • api.ipify.org/
                                                                    SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                    • api.ipify.org/
                                                                    178.63.102.185600%202024.exeGet hashmaliciousPureLog StealerBrowse
                                                                      3.33.130.190SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                      • www.hiddenripple.org/om0o/
                                                                      purchase order.exeGet hashmaliciousFormBookBrowse
                                                                      • www.iglpg.online/rbqc/
                                                                      QiGA4zxp7h.exeGet hashmaliciousFormBookBrowse
                                                                      • www.estore.club/p25o/?mf2P2ZO=KxerE7bt1ILxWuK2Ogwmg4SdYCtN6pOlcrT0BgEre+3DBOmdtLLk2VwqammP0eU2mwfd&lZ9=SjMp8LwxCngXY6N
                                                                      maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                      • www.asiapartnars.online/tkmh/
                                                                      PAYMENT TO NFTC (CUB) 02-12-24.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                      • www.digitalincomenow.net/f9il/?ZPVH=z0Fx&lD=NhEVkYzabIKPpJHZ83mjzeKqPNsChMeU5O9PLcshWYuAO9QYQ/eWp+L7PSe4MMQr7Exac2S24fuv+78O9+s7ZUMnzlJ8/6HwM05Pv/hjkNPOnazZsg==
                                                                      Purchase Order..exeGet hashmaliciousFormBookBrowse
                                                                      • www.goldstarfootwear.shop/8m07/
                                                                      attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                      • www.iglpg.online/rbqc/
                                                                      http://ar-oracle.comGet hashmaliciousUnknownBrowse
                                                                      • ar-oracle.com/lander
                                                                      111101155134.vbsGet hashmaliciousFormBookBrowse
                                                                      • www.capecuvee.net/c4vx/
                                                                      Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • www.goldstarfootwear.shop/8m07/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      freegeoip.netfptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                                                      • 15.197.148.33
                                                                      zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                                                                      • 15.197.148.33
                                                                      fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                                                      • 15.197.148.33
                                                                      zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                                                                      • 15.197.148.33
                                                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                                                      • 3.33.130.190
                                                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                                                      • 15.197.148.33
                                                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                                                      • 3.33.130.190
                                                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                                                      • 15.197.148.33
                                                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                                                      • 3.33.130.190
                                                                      vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                                                      • 3.33.130.190
                                                                      booksports64.linkpc.net600%202024.exeGet hashmaliciousPureLog StealerBrowse
                                                                      • 178.63.102.185
                                                                      RW247RdWMO.exeGet hashmaliciousNjratBrowse
                                                                      • 136.243.179.5
                                                                      RW247RdWMO.exeGet hashmaliciousNjratBrowse
                                                                      • 136.243.179.5
                                                                      4ED736782515078D2C602AE701F7B329033E5E84CFD70.exeGet hashmaliciousnjRatBrowse
                                                                      • 46.4.107.76
                                                                      api.ipify.orgfile.exeGet hashmaliciousQuasarBrowse
                                                                      • 104.26.13.205
                                                                      Xeno Executor.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                      • 104.26.13.205
                                                                      file.exeGet hashmaliciousAmadey, CredGrabber, LummaC Stealer, Meduza Stealer, Stealc, VidarBrowse
                                                                      • 172.67.74.152
                                                                      file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                      • 104.26.12.205
                                                                      malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                      • 172.67.74.152
                                                                      Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      TECHNICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      Shipping Documents 72908672134.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      y1rS62yprs.exeGet hashmaliciousBabadedaBrowse
                                                                      • 104.26.13.205
                                                                      s-part-0035.t-0009.t-msedge.netfnZWGb4PEJ.exeGet hashmaliciousUnknownBrowse
                                                                      • 13.107.246.63
                                                                      file.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 13.107.246.63
                                                                      6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                      • 13.107.246.63
                                                                      Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                                                      • 13.107.246.63
                                                                      BUNKER INVOICE MV SUN OCEAN.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 13.107.246.63
                                                                      Bunker_STS_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 13.107.246.63
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 13.107.246.63
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 13.107.246.63
                                                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 13.107.246.63
                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 13.107.246.63

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUScllmxIZWcQ.lnkGet hashmaliciousUnknownBrowse
                                                                      • 172.67.209.252
                                                                      DXzJ8Bi7WC.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.16.9
                                                                      IJGLxMMTaK.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      cd94pB4Z9p.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.165.166
                                                                      IJGLxMMTaK.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.0.5
                                                                      AmNdY4tRXD.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 104.21.16.9
                                                                      NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                                      • 172.67.145.234
                                                                      SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                      • 172.67.177.137
                                                                      Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.67.152
                                                                      BUNKER INVOICE MV SUN OCEAN.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                      • 104.21.65.104
                                                                      AMAZONEXPANSIONGBSN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                      • 3.33.130.190
                                                                      arm.elfGet hashmaliciousUnknownBrowse
                                                                      • 15.200.6.220
                                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                                      • 3.33.85.219
                                                                      https://www.schneiderpostaccident.comGet hashmaliciousUnknownBrowse
                                                                      • 52.223.43.160
                                                                      purchase order.exeGet hashmaliciousFormBookBrowse
                                                                      • 3.33.130.190
                                                                      https://www.calameo.com/read/00783464726989e2a209aGet hashmaliciousUnknownBrowse
                                                                      • 3.33.220.150
                                                                      https://www.nomadaproducciones.com/hzGet hashmaliciousUnknownBrowse
                                                                      • 3.33.130.190
                                                                      MGQeZjDXc3.exeGet hashmaliciousFormBookBrowse
                                                                      • 3.33.130.190
                                                                      https://ness.wiktripfitness.com/ghjki9l-8765t4/3/er4t5y6u7jyhtgrfefrgthyjuyhtgdsarfedwsqaGet hashmaliciousUnknownBrowse
                                                                      • 52.223.40.198
                                                                      s7Okni1gfE.exeGet hashmaliciousFormBookBrowse
                                                                      • 3.33.130.190
                                                                      HETZNER-ASDE32%20VPN.exeGet hashmaliciousAsyncRATBrowse
                                                                      • 136.243.179.5
                                                                      222.exeGet hashmaliciousNjratBrowse
                                                                      • 136.243.179.5
                                                                      600%202024.exeGet hashmaliciousPureLog StealerBrowse
                                                                      • 178.63.102.185
                                                                      xhost.vbsGet hashmaliciousUnknownBrowse
                                                                      • 136.243.179.5
                                                                      800.vbsGet hashmaliciousUnknownBrowse
                                                                      • 136.243.179.5
                                                                      jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 94.130.241.86
                                                                      .main.elfGet hashmaliciousXmrigBrowse
                                                                      • 5.75.186.53
                                                                      .report_system.elfGet hashmaliciousXmrigBrowse
                                                                      • 5.75.186.53
                                                                      meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 49.13.51.167
                                                                      home.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.201.195.8

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      54328bd36c14bd82ddaa0c04b25ed9adY5kEUsYDFr.exeGet hashmaliciousUnknownBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      Hesap_Hareketleri_09122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      SIPARIS TEYIT FORMU VE PROFORMA FATURA.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      INVOICES.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      BL-100410364195.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      INQUIRY REQUEST AND PRICES_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      Bank Swift and SOA PRN00720031415453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      RFQ Order list #2667747.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      Payment Details Ref#577767.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205
                                                                      IBAN Payment confirmation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 3.33.130.190
                                                                      • 104.26.12.205

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\tmp4906.tmpVotre_relev#U00e9_fiscal.vbsGet hashmaliciousAsyncRATBrowse
                                                                        Suivi__FR0215586J202.vbsGet hashmaliciousAsyncRATBrowse
                                                                          Votrerelev#U00e9fiscal.vbsGet hashmaliciousAsyncRAT QuasarBrowse
                                                                            Document-Required.vbsGet hashmaliciousAsyncRATBrowse
                                                                              test.cmdGet hashmaliciousAsyncRATBrowse

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):1.1940658735648508
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlllulfj+l/Z:NllUa
                                                                                MD5:AEC655F8EE3DD3150DA36365EB66C091
                                                                                SHA1:3E4FCCFC1CE43B9802B56898F261467781DB1D33
                                                                                SHA-256:9E9E998CAC647B8C511C01A7983633D5DB70C5EC748AD488FE78898A89AB6270
                                                                                SHA-512:D98A7A562D940B4DCDA2ECB91DAC0046FD635425E8CF2A8A0646D693050C6A26BB0D704197DCE51E8EDFDD7EBC322B89E1D5FDEB76189B2CF523A0490473F9E0
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:@...e................................................@..........

                                                                                C:\Users\user\AppData\Local\Temp\RES1E47.tmp

                                                                                Download File
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Dec 9 07:28:17 2024, 1st section name ".debug$S"
                                                                                Category:dropped
                                                                                Size (bytes):1328
                                                                                Entropy (8bit):3.9988696750077715
                                                                                Encrypted:false
                                                                                SSDEEP:24:Hme9EujwZcCEwZHwuYwKTFjmNII+ycuZhNyakSaPNnqSqd:jjwZcCEwZ5KTRmu1ulya3WqSK
                                                                                MD5:D37903FD384A2B545F2F61FA7B2EC5A1
                                                                                SHA1:276D12E153905C2F59B6D5B4937909C41263153D
                                                                                SHA-256:026658327C654E4E47286DD3242B1602C9B338781E66137C8CA9E5ECDD12A8F6
                                                                                SHA-512:0E02BE5241806A153F975C5247545A14FD6BC1EA45E664C2F437897B2885FE00BB648C2AC81C3AC902EC7B8272F1CDA1C204653670C66756193EBC8277C0AFF1
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:L.....Vg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP...................&..P.....)@...........3.......C:\Users\user\AppData\Local\Temp\RES1E47.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.j.2.y.p.k.n.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gloiks31.dvg.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_topg44vg.vmx.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvcw22w4.ysq.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_znrjrnhy.41v.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\tmp4906.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):12800
                                                                                Entropy (8bit):5.214561685881693
                                                                                Encrypted:false
                                                                                SSDEEP:192:OW/Pt4BrF4psILa1AMTCpdJILmxH0+hHGDcgtd26:P45F4CIL/M6JHU+hHXgd2
                                                                                MD5:E6B7078B6B145749C223B63690CF7822
                                                                                SHA1:562145C8FDEF211277DCFE2170CAD2BA862DFDCA
                                                                                SHA-256:7C0E07E3947E1C61818F8DE92CB4CC4F27481507D32C01C1287750F5FF3B6620
                                                                                SHA-512:0A02BEE32C2FF2B7A1B3574A4AD39C77E697B09CB61773B98C08C243ADF1679246CC966B8F291077F7361A0DCF31C023CA4F2EEB99A37121B7652EABF23F0D5B
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                                Joe Sandbox View:
                                                                                • Filename: Votre_relev#U00e9_fiscal.vbs, Detection: malicious, Browse
                                                                                • Filename: Suivi__FR0215586J202.vbs, Detection: malicious, Browse
                                                                                • Filename: Votrerelev#U00e9fiscal.vbs, Detection: malicious, Browse
                                                                                • Filename: Document-Required.vbs, Detection: malicious, Browse
                                                                                • Filename: test.cmd, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R................".....D......D......D......D.................1................N...........Rich....................PE..d....:.b.........." ......................................................................`..........................................:..@....:..d....`.......P...............p..(....3..p........................... 4..8............0...............................text............................... ..`.rdata..*....0......................@..@.data........@.......*..............@....pdata.......P.......,..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP

                                                                                Download File
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:MSVC .res
                                                                                Category:dropped
                                                                                Size (bytes):652
                                                                                Entropy (8bit):3.1260353118219055
                                                                                Encrypted:false
                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grysXak7YnqqVAPN5Dlq5J:+RI+ycuZhNyakSaPNnqX
                                                                                MD5:8C1FED9926ACEF5086CDE70A812940D8
                                                                                SHA1:389EE463CF9DEA5CB7E671B967F629B3E9DB080E
                                                                                SHA-256:0A7864B16F5AFFB748AFCF1427E8FEBEB676F94F0BB8A9ADADAA1A9D1B3DB8B9
                                                                                SHA-512:ED3EC02E64B0DCBF243FBA130863E8311EBBEBFD893F3D7FED44F0FEC2B51556A3E2C557230427870C6FDD553E78A3C63355E599FECF04E81D444D42F48D9C60
                                                                                Malicious:false
                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.j.2.y.p.k.n.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.j.2.y.p.k.n.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.0.cs

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):240
                                                                                Entropy (8bit):5.066306480733702
                                                                                Encrypted:false
                                                                                SSDEEP:6:V/DsDrDCSvSoyFFeMw1qLTwi23fwbhUFo2SRdp:V/DGrO5NwZ4Jr
                                                                                MD5:6E26F97A089300F1BE3E17CA1EECE810
                                                                                SHA1:7C2807B856E2AD9F73E611FE8B9692445C34204A
                                                                                SHA-256:12381C40FFCB64199FA64D1806CE063A52E14CF697B3C412EFE786082DC3ABB3
                                                                                SHA-512:69A03C3821591FF3FF177048D51C60E8D2C59E4380192EFDFB340E4A29E8BC1E3BC997A6B4FE87AB5549278FBC52AE130B7523108C1E3D515B79DB9E3AA28C43
                                                                                Malicious:false
                                                                                Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;..public static class PoH..{.. [DllImport(@"C:\Users\user\AppData\Local\Temp\tmp4906.tmp", CharSet=CharSet.Auto)].. public static extern int main(); ..}

                                                                                C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):367
                                                                                Entropy (8bit):5.307823798749505
                                                                                Encrypted:false
                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2qLTwi23fAVVzxs7+AEszIqLTwi23fAVXA:p37Lvkmb6KbwZMWZEmwZ+A
                                                                                MD5:E535D0B2DE8B83186BB2D5C0DA37458D
                                                                                SHA1:F78C5C5FCEC40A42E56195D0BAD9BF56F4ECCD1C
                                                                                SHA-256:DC61A5F1250233D1CA387D9FD6630C934A2EA8B45EB4560A3DAE8A5B5395C531
                                                                                SHA-512:DC2AA6D2F2315DB8EE1031EC0551E723F1D8014F7E6F00A1E7F1A115C7DF01224D52CB5A69825723D173878420FB328D4D9025B63547E8996285A16A6E8F1C5A
                                                                                Malicious:true
                                                                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.0.cs"

                                                                                C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.dll

                                                                                Download File
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):3072
                                                                                Entropy (8bit):2.6933795273322385
                                                                                Encrypted:false
                                                                                SSDEEP:24:etGS4vBMAZ+gOo9jf2uDxRPtkF8wwZBIP0WI+ycuZhNyakSaPNnq:6dAsgOo9jfPDWF8wwZBIPX1ulya3Wq
                                                                                MD5:28CBAB8D004BC005C81942BF415B2DC5
                                                                                SHA1:96B5B48FB6C5BE71A14E18D269FE150D2C011AEF
                                                                                SHA-256:CAB3A1C47473D6D1077D38D85C3FE024AE3059DBAFCE57137365974A8252ABB8
                                                                                SHA-512:3682CE0F8919386BCACE12625FFBF0189D1F54DB5299AB76EE13F17F5A05B1E0FB987B426B608AC4812E8B87C647DFC6625CFBF41845250DB8EA4F14DC9860C9
                                                                                Malicious:true
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Vg...........!................N#... ...@....... ....................................@.................................."..O....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0#......H.......P ..............................................................BSJB............v4.0.30319......l.......#~..L.......#Strings....P.......#US.X.......#GUID...h...D...#Blob...........G.........%3........................................................+.$...W.7...}.7.......................................... 2.......w.....w...!.w.............%.......2................................................<Module>.zj2ypknx.dll.PoH.mscorlib.System.Object.main.System.Runtime.Compil

                                                                                C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.out

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                Category:modified
                                                                                Size (bytes):866
                                                                                Entropy (8bit):5.352180113351527
                                                                                Encrypted:false
                                                                                SSDEEP:24:K8Id3ka6KbwZ9EmwZsKax5DqBVKVrdFAMBJTH:Hkka6CwZ9EmwZsK2DcVKdBJj
                                                                                MD5:5D6E7F40F4AC83CB53BA15B5D3D7D50F
                                                                                SHA1:3EE7B3CFEDC3EA50B31B2D37DC76A2C2325781CC
                                                                                SHA-256:E0CDBC56BA906DCBB57FB98FC8C7E4B4F837F3D69BCEC6151F8FFEF90CEA338A
                                                                                SHA-512:B8A323ACB26892BF03677581EF924E171FC97BA222653EBC740FEAC24F2FC11498D3A7A117E70BB2F10654BE92485BB3E659469685B1AE8A097EBBA9370B629B
                                                                                Malicious:false
                                                                                Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):6220
                                                                                Entropy (8bit):3.7070539252761177
                                                                                Encrypted:false
                                                                                SSDEEP:96:zJRdaCQQlgkvhkvCCtVsS9XXHTNS9XpHT+:zJRd+KsOSbSS
                                                                                MD5:DE164ED232A12BF86BFD937B7008CE17
                                                                                SHA1:717B5AFBF58396B3D3D6742E678951853BC20FC0
                                                                                SHA-256:F16F4F86145699CD429EB40D33584E423EB86D8BCCFDCC74C2B37A8DBAB5B768
                                                                                SHA-512:2806F83FEF6569FC54C2B9D8F3487048D9CED0E8FE3825AFFE8386C853C6DF268974DF474BD52304FB8B3334090D59AEDBCC37D79A4EEFDBBCC90ED1E7522756
                                                                                Malicious:false
                                                                                Preview:...................................FL..................F.".. ....'GDj.... .6.J..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...)X.1.J...o.6.J......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y=3..........................=...A.p.p.D.a.t.a...B.V.1......Y:3..Roaming.@......EWsG.Y:3..........................n...R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y83..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y83..........................3S..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y83....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y83....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y@3................

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\IBUC5J32JCZE1CB8E3I8.temp

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):6220
                                                                                Entropy (8bit):3.7070539252761177
                                                                                Encrypted:false
                                                                                SSDEEP:96:zJRdaCQQlgkvhkvCCtVsS9XXHTNS9XpHT+:zJRd+KsOSbSS
                                                                                MD5:DE164ED232A12BF86BFD937B7008CE17
                                                                                SHA1:717B5AFBF58396B3D3D6742E678951853BC20FC0
                                                                                SHA-256:F16F4F86145699CD429EB40D33584E423EB86D8BCCFDCC74C2B37A8DBAB5B768
                                                                                SHA-512:2806F83FEF6569FC54C2B9D8F3487048D9CED0E8FE3825AFFE8386C853C6DF268974DF474BD52304FB8B3334090D59AEDBCC37D79A4EEFDBBCC90ED1E7522756
                                                                                Malicious:false
                                                                                Preview:...................................FL..................F.".. ....'GDj.... .6.J..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...)X.1.J...o.6.J......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y=3..........................=...A.p.p.D.a.t.a...B.V.1......Y:3..Roaming.@......EWsG.Y:3..........................n...R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsG.Y83..........................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsG.Y83..........................3S..W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsG.Y83....................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsG.Y83....................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsG.Y@3................

                                                                                Static File Info

                                                                                General

                                                                                File type:Generic INItialization configuration [string]
                                                                                Entropy (8bit):4.011171334505638
                                                                                TrID:
                                                                                  File name:x.ps1
                                                                                  File size:776'126 bytes
                                                                                  MD5:e9bf208781b60d91292c6177677e27f8
                                                                                  SHA1:364f17ba1b85e4c903157cb8a897f35fa48e73b7
                                                                                  SHA256:66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
                                                                                  SHA512:3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
                                                                                  SSDEEP:12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH
                                                                                  TLSH:5DF49CA243545EBDF69C0FC4896B345720F1E457BE254249AFB319EBBC3BCD0A830666
                                                                                  File Content Preview:....[System.Environment]::CurrentDirectory = $pwd.Path..function cnvrtf {.. param (.. [string].. $cxxxxxp.. ).. [byte[]]$kkkk = @(13,225,70,50,167,212,237,45,213,47,25,33,53,44,7,36).. $ss = $cxxxxxp | ConvertTo-SecureString -Key

                                                                                  File Icon

                                                                                  Icon Hash:3270d6baae77db44

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-09T07:26:12.716126+01002814030ETPRO MALWARE W32/Quasar RAT Connectivity Check 21192.168.2.9497383.33.130.190443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 9, 2024 07:26:09.237308979 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:09.237346888 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:09.237478018 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:09.246571064 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:09.246584892 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.465687990 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.465799093 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:10.471103907 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:10.471115112 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.471436024 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.512305975 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:10.518532991 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:10.563323975 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.899007082 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.899060011 CET44349732104.26.12.205192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.899125099 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:10.905689001 CET49732443192.168.2.9104.26.12.205
                                                                                  Dec 9, 2024 07:26:11.046792984 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:11.046859026 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:11.046951056 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:11.047337055 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:11.047352076 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.279146910 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.279232025 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:12.281688929 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:12.281723022 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.282008886 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.283418894 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:12.331326962 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.716166019 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.716233969 CET443497383.33.130.190192.168.2.9
                                                                                  Dec 9, 2024 07:26:12.716301918 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:12.716979980 CET49738443192.168.2.93.33.130.190
                                                                                  Dec 9, 2024 07:26:13.271291018 CET497446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:13.391067982 CET606049744178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:13.391184092 CET497446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:15.591149092 CET606049744178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:15.591270924 CET497446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:16.606112957 CET497446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:16.607492924 CET497516060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:16.725411892 CET606049744178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:16.726726055 CET606049751178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:16.726830959 CET497516060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:17.757635117 CET497516060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:17.876954079 CET606049751178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:18.922164917 CET606049751178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:18.922274113 CET497516060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:19.856647968 CET497516060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:19.857501984 CET497626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:19.975930929 CET606049751178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:19.976846933 CET606049762178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:19.976928949 CET497626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:22.172218084 CET606049762178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:22.172310114 CET497626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:22.949932098 CET497626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:22.953447104 CET497686060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:23.069206953 CET606049762178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:23.072671890 CET606049768178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:23.072766066 CET497686060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:25.295428038 CET606049768178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:25.295591116 CET497686060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:26.043750048 CET497686060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:26.045187950 CET497796060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:26.163072109 CET606049768178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:26.164443970 CET606049779178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:26.164530993 CET497796060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:28.366377115 CET606049779178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:28.366570950 CET497796060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:29.356355906 CET497796060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:29.357511044 CET497856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:29.475594044 CET606049779178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:29.476702929 CET606049785178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:29.476795912 CET497856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:31.669471025 CET606049785178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:31.669586897 CET497856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:32.434381008 CET497856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:32.437684059 CET497966060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:32.553761959 CET606049785178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:32.556911945 CET606049796178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:32.557022095 CET497966060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:34.766778946 CET606049796178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:34.766884089 CET497966060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:35.715363979 CET497966060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:35.716706038 CET498026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:35.834743023 CET606049796178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:35.836026907 CET606049802178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:35.836297989 CET498026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:38.029676914 CET606049802178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:38.029783010 CET498026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:39.198024988 CET498026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:39.200844049 CET498136060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:39.317403078 CET606049802178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:39.320107937 CET606049813178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:39.320184946 CET498136060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:41.514401913 CET606049813178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:41.514481068 CET498136060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:42.324775934 CET498136060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:42.335011959 CET498196060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:42.444112062 CET606049813178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:42.454493999 CET606049819178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:42.454596996 CET498196060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:44.655306101 CET606049819178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:44.655422926 CET498196060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:45.527786970 CET498196060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:45.529267073 CET498306060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:45.647200108 CET606049819178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:45.648936033 CET606049830178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:45.649013042 CET498306060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:47.843453884 CET606049830178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:47.843569040 CET498306060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:48.605932951 CET498306060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:48.607237101 CET498366060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:48.725214958 CET606049830178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:48.726525068 CET606049836178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:48.726644993 CET498366060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:50.920773029 CET606049836178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:50.920882940 CET498366060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:51.668776035 CET498366060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:51.670488119 CET498446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:51.788111925 CET606049836178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:51.789767981 CET606049844178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:51.789870977 CET498446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:53.999470949 CET606049844178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:53.999550104 CET498446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:54.824692965 CET498446060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:54.826515913 CET498536060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:54.943903923 CET606049844178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:54.945678949 CET606049853178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:54.945758104 CET498536060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:57.139431000 CET606049853178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:57.139524937 CET498536060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:58.105783939 CET498536060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:58.107254982 CET498616060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:26:58.225039005 CET606049853178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:58.226608038 CET606049861178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:26:58.226717949 CET498616060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:00.420746088 CET606049861178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:00.420918941 CET498616060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:01.199577093 CET498616060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:01.200983047 CET498716060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:01.318903923 CET606049861178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:01.320333958 CET606049871178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:01.320450068 CET498716060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:03.515860081 CET606049871178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:03.515942097 CET498716060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:04.293236017 CET498716060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:04.294167042 CET498776060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:04.412523985 CET606049871178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:04.413403034 CET606049877178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:04.417241096 CET498776060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:06.609687090 CET606049877178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:06.609781981 CET498776060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:07.387182951 CET498776060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:07.388394117 CET498876060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:07.507790089 CET606049877178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:07.508961916 CET606049887178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:07.509051085 CET498876060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:09.718503952 CET606049887178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:09.718657017 CET498876060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:10.741925001 CET498876060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:10.757234097 CET498946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:10.861681938 CET606049887178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:10.876580000 CET606049894178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:10.876673937 CET498946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:13.078907967 CET606049894178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:13.079092026 CET498946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:14.043514013 CET498946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:14.046761036 CET499046060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:14.163203955 CET606049894178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:14.165977955 CET606049904178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:14.166121960 CET499046060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:16.370542049 CET606049904178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:16.370693922 CET499046060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:17.136921883 CET499046060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:17.138537884 CET499116060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:17.256412029 CET606049904178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:17.257836103 CET606049911178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:17.257983923 CET499116060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:19.453895092 CET606049911178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:19.454005957 CET499116060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:20.230703115 CET499116060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:20.232400894 CET499186060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:20.350178003 CET606049911178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:20.351629972 CET606049918178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:20.351716995 CET499186060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:22.544707060 CET606049918178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:22.544821024 CET499186060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:23.527776003 CET499186060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:23.530406952 CET499286060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:23.647109032 CET606049918178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:23.649651051 CET606049928178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:23.649882078 CET499286060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:25.843872070 CET606049928178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:25.844007015 CET499286060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:26.699409962 CET499286060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:26.702133894 CET499356060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:26.818630934 CET606049928178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:26.821419001 CET606049935178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:26.821492910 CET499356060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:29.016722918 CET606049935178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:29.016853094 CET499356060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:29.855669022 CET499356060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:29.856745005 CET499456060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:29.975049973 CET606049935178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:29.975982904 CET606049945178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:29.976068020 CET499456060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:32.173742056 CET606049945178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:32.173834085 CET499456060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:32.918096066 CET499456060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:32.919368982 CET499526060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:33.037343979 CET606049945178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:33.038599968 CET606049952178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:33.038733006 CET499526060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:35.234354973 CET606049952178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:35.234460115 CET499526060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:36.074289083 CET499526060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:36.075706005 CET499626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:36.193619967 CET606049952178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:36.194962025 CET606049962178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:36.195051908 CET499626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:38.452619076 CET606049962178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:38.452714920 CET499626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:39.355572939 CET499626060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:39.356956005 CET499696060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:39.474878073 CET606049962178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:39.476212025 CET606049969178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:39.476300955 CET499696060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:41.702486038 CET606049969178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:41.702570915 CET499696060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:42.449305058 CET499696060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:42.450766087 CET499786060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:42.568696022 CET606049969178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:42.570054054 CET606049978178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:42.570323944 CET499786060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:44.765259981 CET606049978178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:44.766994953 CET499786060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:45.762316942 CET499786060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:45.764224052 CET499856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:45.881515980 CET606049978178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:45.883440971 CET606049985178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:45.883550882 CET499856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:48.077584982 CET606049985178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:48.077686071 CET499856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:48.996118069 CET499856060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:48.997392893 CET499946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:49.115468979 CET606049985178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:49.116626978 CET606049994178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:49.116705894 CET499946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:51.312498093 CET606049994178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:51.312685966 CET499946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:52.199400902 CET499946060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:52.200803041 CET500026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:52.318866968 CET606049994178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:52.320147038 CET606050002178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:52.320291996 CET500026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:54.549005985 CET606050002178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:54.549139977 CET500026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:55.433603048 CET500026060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:55.434824944 CET500096060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:55.577024937 CET606050002178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:55.577044010 CET606050009178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:55.577132940 CET500096060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:57.782557011 CET606050009178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:57.782645941 CET500096060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:58.761847019 CET500096060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:58.763252020 CET500106060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:27:58.881143093 CET606050009178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:58.882675886 CET606050010178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:27:58.882812023 CET500106060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:28:01.076772928 CET606050010178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:28:01.076864004 CET500106060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:28:01.996185064 CET500106060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:28:01.997397900 CET500116060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:28:02.115789890 CET606050010178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:28:02.116805077 CET606050011178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:28:02.116902113 CET500116060192.168.2.9178.63.102.185
                                                                                  Dec 9, 2024 07:28:04.314161062 CET606050011178.63.102.185192.168.2.9
                                                                                  Dec 9, 2024 07:28:04.314827919 CET500116060192.168.2.9178.63.102.185

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 9, 2024 07:26:09.088212013 CET5876553192.168.2.91.1.1.1
                                                                                  Dec 9, 2024 07:26:09.225528955 CET53587651.1.1.1192.168.2.9
                                                                                  Dec 9, 2024 07:26:10.908376932 CET5756253192.168.2.91.1.1.1
                                                                                  Dec 9, 2024 07:26:11.045556068 CET53575621.1.1.1192.168.2.9
                                                                                  Dec 9, 2024 07:26:13.132802963 CET6271853192.168.2.91.1.1.1
                                                                                  Dec 9, 2024 07:26:13.270468950 CET53627181.1.1.1192.168.2.9

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 9, 2024 07:26:09.088212013 CET192.168.2.91.1.1.10x5b7dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:10.908376932 CET192.168.2.91.1.1.10x4123Standard query (0)freegeoip.netA (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:13.132802963 CET192.168.2.91.1.1.10x9bbdStandard query (0)booksports64.linkpc.netA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 9, 2024 07:25:56.612924099 CET1.1.1.1192.168.2.90x8a2cNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 9, 2024 07:25:56.612924099 CET1.1.1.1192.168.2.90x8a2cNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:09.225528955 CET1.1.1.1192.168.2.90x5b7dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:09.225528955 CET1.1.1.1192.168.2.90x5b7dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:09.225528955 CET1.1.1.1192.168.2.90x5b7dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:11.045556068 CET1.1.1.1192.168.2.90x4123No error (0)freegeoip.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:11.045556068 CET1.1.1.1192.168.2.90x4123No error (0)freegeoip.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                  Dec 9, 2024 07:26:13.270468950 CET1.1.1.1192.168.2.90x9bbdNo error (0)booksports64.linkpc.net178.63.102.185A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • api.ipify.org
                                                                                  • freegeoip.net

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.949732104.26.12.2054438016C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-09 06:26:10 UTC142OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                                                                  Host: api.ipify.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-12-09 06:26:10 UTC424INHTTP/1.1 200 OK
                                                                                  Date: Mon, 09 Dec 2024 06:26:10 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 12
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8ef2ec110b5f0f79-EWR
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1640&rtt_var=617&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=756&delivery_rate=1768625&cwnd=241&unsent_bytes=0&cid=6406fa6ce09d0ed6&ts=447&x=0"
                                                                                  2024-12-09 06:26:10 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                                                  Data Ascii: 8.46.123.228


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.9497383.33.130.1904438016C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-09 06:26:12 UTC146OUTGET /xml/ HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                                                                  Host: freegeoip.net
                                                                                  Connection: Keep-Alive
                                                                                  2024-12-09 06:26:12 UTC121INHTTP/1.1 200 OK
                                                                                  Content-Type: text/html
                                                                                  Date: Mon, 09 Dec 2024 06:26:12 GMT
                                                                                  Content-Length: 114
                                                                                  Connection: close
                                                                                  2024-12-09 06:26:12 UTC114INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:01:25:59
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1"
                                                                                  Imagebase:0x7ff760310000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1540504472.000001C4EF260000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1431503065.000001C482B2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: RAT_Imminent, Description: Detects Imminent RAT, Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: RAT_xRAT, Description: Detects xRAT, Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: xRAT, Description: unknown, Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Imminent, Description: unknown, Source: 00000000.00000002.1483625168.000001C491117000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1431503065.000001C482D45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1431503065.000001C482BC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: RAT_Imminent, Description: Detects Imminent RAT, Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: RAT_xRAT, Description: Detects xRAT, Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: xRAT, Description: unknown, Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Imminent, Description: unknown, Source: 00000000.00000002.1483625168.000001C491DB3000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: RAT_Imminent, Description: Detects Imminent RAT, Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: RAT_xRAT, Description: Detects xRAT, Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: xRAT, Description: unknown, Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Imminent, Description: unknown, Source: 00000000.00000002.1483625168.000001C4911B0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: RAT_Imminent, Description: Detects Imminent RAT, Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: RAT_xRAT, Description: Detects xRAT, Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: xRAT, Description: unknown, Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Imminent, Description: unknown, Source: 00000000.00000002.1483625168.000001C4919DA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:01:25:59
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff70f010000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:01:26:05
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zj2ypknx\zj2ypknx.cmdline"
                                                                                  Imagebase:0x7ff62a000000
                                                                                  File size:2'759'232 bytes
                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:01:26:05
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1E47.tmp" "c:\Users\user\AppData\Local\Temp\zj2ypknx\CSC9D592507824C4D0EA719E1D8C26EFB4E.TMP"
                                                                                  Imagebase:0x7ff66be70000
                                                                                  File size:52'744 bytes
                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:01:26:05
                                                                                  Start date:09/12/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                  Imagebase:0xbd0000
                                                                                  File size:56'368 bytes
                                                                                  MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2614537206.0000000003013000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: RAT_Imminent, Description: Detects Imminent RAT, Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: RAT_xRAT, Description: Detects xRAT, Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: xRAT, Description: unknown, Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: Imminent, Description: unknown, Source: 00000005.00000002.2609538881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2614537206.0000000003075000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:3.4%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:12
                                                                                    Total number of Limit Nodes:0

                                                                                    Executed Functions

                                                                                    Function 00007FF887C3AE5B Relevance: 5.1, Strings: 3, Instructions: 1324COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1541613861.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887c30000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 0#L$p]L$r6B
                                                                                    • API String ID: 0-2661915977
                                                                                    • Opcode ID: 3708c6e66b18ee0226bc5fda62f3ed340087f0a4f60c6a05d5a3e595c8f0bc9a
                                                                                    • Instruction ID: 5fb58dfab4071bf38ec02f7c804076b28411973d0103ad0785d87a5b16edbe67
                                                                                    • Opcode Fuzzy Hash: 3708c6e66b18ee0226bc5fda62f3ed340087f0a4f60c6a05d5a3e595c8f0bc9a
                                                                                    • Instruction Fuzzy Hash: 3CC2D670908A1E8FDBA8DF58C895BACB7B2FF59344F1441A9D40DE7291DA34AE81DF40
                                                                                    Function 00007FF887C3EC54 Relevance: 1.9, APIs: 1, Instructions: 439processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 230 7ff887c3ec54-7ff887c3ec5b 231 7ff887c3ec5d-7ff887c3ec65 230->231 232 7ff887c3ec66-7ff887c3ed34 230->232 231->232 237 7ff887c3ed92-7ff887c3edc4 232->237 238 7ff887c3ed36-7ff887c3ed45 232->238 245 7ff887c3ee22-7ff887c3ee96 237->245 246 7ff887c3edc6-7ff887c3edd5 237->246 238->237 239 7ff887c3ed47-7ff887c3ed4a 238->239 240 7ff887c3ed4c-7ff887c3ed5f 239->240 241 7ff887c3ed84-7ff887c3ed8c 239->241 243 7ff887c3ed63-7ff887c3ed76 240->243 244 7ff887c3ed61 240->244 241->237 243->243 247 7ff887c3ed78-7ff887c3ed80 243->247 244->243 254 7ff887c3ee98-7ff887c3eea7 245->254 255 7ff887c3eef4-7ff887c3effd CreateProcessA 245->255 246->245 248 7ff887c3edd7-7ff887c3edda 246->248 247->241 249 7ff887c3eddc-7ff887c3edef 248->249 250 7ff887c3ee14-7ff887c3ee1c 248->250 252 7ff887c3edf3-7ff887c3ee06 249->252 253 7ff887c3edf1 249->253 250->245 252->252 256 7ff887c3ee08-7ff887c3ee10 252->256 253->252 254->255 257 7ff887c3eea9-7ff887c3eeac 254->257 266 7ff887c3efff 255->266 267 7ff887c3f005-7ff887c3f096 call 7ff887c3f0b2 255->267 256->250 259 7ff887c3eeae-7ff887c3eec1 257->259 260 7ff887c3eee6-7ff887c3eeee 257->260 262 7ff887c3eec3 259->262 263 7ff887c3eec5-7ff887c3eed8 259->263 260->255 262->263 263->263 264 7ff887c3eeda-7ff887c3eee2 263->264 264->260 266->267 277 7ff887c3f098 267->277 278 7ff887c3f09d-7ff887c3f0b1 267->278 277->278
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1541613861.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887c30000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcess
                                                                                    • String ID:
                                                                                    • API String ID: 963392458-0
                                                                                    • Opcode ID: 9febc6099c11ddb3ccb723436102cd9cdeba8bddb0d8f877b2b0d98922f457f0
                                                                                    • Instruction ID: 204319bef597dde1e9b934e47c1cf42f82a281530c61eb0b81e6c59a2ef4535b
                                                                                    • Opcode Fuzzy Hash: 9febc6099c11ddb3ccb723436102cd9cdeba8bddb0d8f877b2b0d98922f457f0
                                                                                    • Instruction Fuzzy Hash: 76D1A530918A8D4FEB64EF18DC567E977E1FB58350F04422AD84EC7291DF78A941CB82
                                                                                    Function 00007FF887C3E8F4 Relevance: 1.6, APIs: 1, Instructions: 149injectionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 279 7ff887c3e8f4-7ff887c3e8fb 280 7ff887c3e8fd-7ff887c3e905 279->280 281 7ff887c3e906-7ff887c3e995 279->281 280->281 285 7ff887c3e99f-7ff887c3e9f4 WriteProcessMemory 281->285 286 7ff887c3e997-7ff887c3e99c 281->286 288 7ff887c3e9fc-7ff887c3ea2d 285->288 289 7ff887c3e9f6 285->289 286->285 289->288
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1541613861.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887c30000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: MemoryProcessWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3559483778-0
                                                                                    • Opcode ID: a507af2cb801c66dc1a10adddcd6aa46d7066345c9f26b200b41803ce53bad0e
                                                                                    • Instruction ID: d367ebc1c415424b39d8fdef5c8ee44136ea15652a61878f1deed58e77735b73
                                                                                    • Opcode Fuzzy Hash: a507af2cb801c66dc1a10adddcd6aa46d7066345c9f26b200b41803ce53bad0e
                                                                                    • Instruction Fuzzy Hash: 7A41D431D0CB5D4FDB589F9898466EDBBE1FB95311F00426FE449D3292CE74A845C782
                                                                                    Function 00007FF887C3CC48 Relevance: 1.6, APIs: 1, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 292 7ff887c3cc48-7ff887c3cc4f 293 7ff887c3cc5a-7ff887c3cccd 292->293 294 7ff887c3cc51-7ff887c3cc59 292->294 298 7ff887c3cccf-7ff887c3ccd4 293->298 299 7ff887c3ccd7-7ff887c3cd12 Wow64SetThreadContext 293->299 294->293 298->299 301 7ff887c3cd1a-7ff887c3cd49 299->301 302 7ff887c3cd14 299->302 302->301
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1541613861.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887c30000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContextThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 983334009-0
                                                                                    • Opcode ID: 34cab5773d44ff07efe68dfb6cfc1d228e1b45bfaefc2a003aac140b19680af5
                                                                                    • Instruction ID: ed8ffa1f166c92eaa824c623b0714de80b8b9e3be70557d8ec1fa6f034e18ca5
                                                                                    • Opcode Fuzzy Hash: 34cab5773d44ff07efe68dfb6cfc1d228e1b45bfaefc2a003aac140b19680af5
                                                                                    • Instruction Fuzzy Hash: CE31F432D0CB494FDB299BA898466FE7BE1EB55321F04423FD04ED3192DF74A8068781
                                                                                    Function 00007FF887C3CB71 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 304 7ff887c3cb71-7ff887c3cc14 ResumeThread 309 7ff887c3cc1c-7ff887c3cc41 304->309 310 7ff887c3cc16 304->310 310->309
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1541613861.00007FF887C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887c30000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: ResumeThread
                                                                                    • String ID:
                                                                                    • API String ID: 947044025-0
                                                                                    • Opcode ID: b648c958aae7eb0c1f81bef8e722176c0e5167f2d2b7b740ca14355489ace5d0
                                                                                    • Instruction ID: 594d080337654e499427007a6a68c549fcae383914258511ba87b865019ec6ec
                                                                                    • Opcode Fuzzy Hash: b648c958aae7eb0c1f81bef8e722176c0e5167f2d2b7b740ca14355489ace5d0
                                                                                    • Instruction Fuzzy Hash: 5421D131A0CB4C8FDB58DFA8C84A7EE7BE1EB95321F04416FD449D7292DA799805CB81
                                                                                    Function 00007FF887D042EA Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1542390394.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887d00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: r6B
                                                                                    • API String ID: 0-2624010786
                                                                                    • Opcode ID: cc9b429f9f15736e1a0fee6dbd96ef4476dbedbba55e80b13cb9897b00178ccb
                                                                                    • Instruction ID: 379be6dfb5e64407d8404ee4da16c1b882bb3f535635e5f2bd4c9eb23b05b328
                                                                                    • Opcode Fuzzy Hash: cc9b429f9f15736e1a0fee6dbd96ef4476dbedbba55e80b13cb9897b00178ccb
                                                                                    • Instruction Fuzzy Hash: DF21E632F8C9194FFBA4955C78456F9B3E1FB952A0B5853B7C50EC319ADD08AC118380
                                                                                    Function 00007FF887D02AA8 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 330 7ff887d02aa8-7ff887d02aaf 331 7ff887d02ab1-7ff887d02abe 330->331 332 7ff887d02acb-7ff887d02ae1 330->332 331->332 335 7ff887d02ac0-7ff887d02ac9 331->335 336 7ff887d02ae8-7ff887d02af0 332->336 335->332 338 7ff887d02af2-7ff887d02af6 336->338 339 7ff887d02af8-7ff887d02afd 336->339 340 7ff887d02afe-7ff887d02b0c 338->340 339->340
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1542390394.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887d00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: r6B
                                                                                    • API String ID: 0-2624010786
                                                                                    • Opcode ID: 179c4b3d89917ea1727e47c012976f80fd46a32bdfcc1bb98cab8f5cce7411e1
                                                                                    • Instruction ID: bc688034bc2178144ebd5f5fdcf14fbe811985f72bf77552d2bc3b390a6c6664
                                                                                    • Opcode Fuzzy Hash: 179c4b3d89917ea1727e47c012976f80fd46a32bdfcc1bb98cab8f5cce7411e1
                                                                                    • Instruction Fuzzy Hash: 4E014E32E5DE058FE6B4920C65011BC62F2FF44270B5403B5D01EC319BCE1D7C52C242
                                                                                    Function 00007FF887D04311 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 354 7ff887d04311-7ff887d0432f 356 7ff887d04330-7ff887d04339 354->356 357 7ff887d04352-7ff887d0435f 356->357 358 7ff887d0433b-7ff887d04348 356->358 358->357 360 7ff887d0434a-7ff887d04350 358->360 360->357
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1542390394.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887d00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: r6B
                                                                                    • API String ID: 0-2624010786
                                                                                    • Opcode ID: 0c3e277d804ee3796e153f3bee02de21dfa5732b8879615b9261b16ef1e5c316
                                                                                    • Instruction ID: e7460458d5bd893862303e66887e0fb30d1f4ee78911579c8c8a3707abffb584
                                                                                    • Opcode Fuzzy Hash: 0c3e277d804ee3796e153f3bee02de21dfa5732b8879615b9261b16ef1e5c316
                                                                                    • Instruction Fuzzy Hash: A3F0E223F8D9595AB6A1D25C38046F966A2EB956A0B8852F7C54DC314AD804AC144381
                                                                                    Function 00007FF887D02F43 Relevance: .3, Instructions: 349COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 362 7ff887d02f43-7ff887d02f48 363 7ff887d02f4c-7ff887d02f58 362->363 364 7ff887d02f4a 362->364 365 7ff887d02f8b-7ff887d02f94 363->365 366 7ff887d02f5a-7ff887d02f84 363->366 364->363 369 7ff887d02f96-7ff887d02fae 365->369 370 7ff887d02fb0-7ff887d02fbd 365->370 367 7ff887d030b0-7ff887d030ed 366->367 368 7ff887d02f8a 366->368 383 7ff887d030ef-7ff887d030fb 367->383 384 7ff887d03138-7ff887d0315d 367->384 368->365 369->370 376 7ff887d03054-7ff887d0305e 370->376 377 7ff887d02fc3-7ff887d02fc6 370->377 379 7ff887d03060-7ff887d0306c 376->379 380 7ff887d0306d-7ff887d030ad 376->380 377->376 381 7ff887d02fcc-7ff887d02fd4 377->381 380->367 381->367 385 7ff887d02fda-7ff887d02fe4 381->385 388 7ff887d030fd-7ff887d03103 383->388 403 7ff887d03160-7ff887d03171 384->403 404 7ff887d0315f 384->404 386 7ff887d02fe6-7ff887d02ffb 385->386 387 7ff887d02ffd-7ff887d03001 385->387 386->387 387->376 391 7ff887d03003-7ff887d0303c 387->391 388->388 393 7ff887d03105-7ff887d0310a 388->393 414 7ff887d03043-7ff887d03053 391->414 400 7ff887d03135-7ff887d03137 393->400 401 7ff887d0310c-7ff887d03133 393->401 400->384 401->400 406 7ff887d03174-7ff887d0322e 403->406 407 7ff887d03173 403->407 404->403 407->406
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1542390394.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887d00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d106a5f2127853e0e51aeffdcb49e0f38e9fd7f8b762121bc51e2c8c2814d823
                                                                                    • Instruction ID: 37edd4ccf9fdb2daf61c85b2cdb83aa6678af0b3b1ba46ab63588c4b4766f4b9
                                                                                    • Opcode Fuzzy Hash: d106a5f2127853e0e51aeffdcb49e0f38e9fd7f8b762121bc51e2c8c2814d823
                                                                                    • Instruction Fuzzy Hash: E2B1282294DBCA5FE7969B7948541A97FF0FF56290B1802FFC05EC70E7DA199809C342
                                                                                    Function 00007FF887D027D8 Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 492 7ff887d027d8-7ff887d027db 493 7ff887d027e6-7ff887d027ef 492->493 494 7ff887d027f1-7ff887d027fe 493->494 495 7ff887d02808-7ff887d02815 493->495 494->495 497 7ff887d02800-7ff887d02806 494->497 497->495
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1542390394.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff887d00000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a1a36182dc53b9969ee83028c1ea54f2a2dbeb843167202887512ffc0fdc78f
                                                                                    • Instruction ID: 989b7a6867c79f2a628bc07a0abfd88e2b688bad2d674fee6b9e5c0b70a72bd9
                                                                                    • Opcode Fuzzy Hash: 6a1a36182dc53b9969ee83028c1ea54f2a2dbeb843167202887512ffc0fdc78f
                                                                                    • Instruction Fuzzy Hash: 2FE09232E4D9298EFBD5A16C64482FC62A1EF94361B491377E40ED3189DC04AC9083C2

                                                                                    Non-executed Functions

                                                                                    Function 00007FF8F8D812E0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1547948807.00007FF8F8D81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8D80000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1547920923.00007FF8F8D80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548065226.00007FF8F8D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548094834.00007FF8F8D84000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548122523.00007FF8F8D85000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff8f8d80000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapHeapsProcessWalkfree$Sleepmallocmemcmp
                                                                                    • String ID: AMSI$DotNet$PowerShell
                                                                                    • API String ID: 1222049031-1244725772
                                                                                    • Opcode ID: 30d8d4d0c79dde51177c9121f897a1f9832c19c207709c27c6875cec1a63189c
                                                                                    • Instruction ID: 3cc398d410e08757a21682093572507948e59c73a5d51ae81426ed78514037bc
                                                                                    • Opcode Fuzzy Hash: 30d8d4d0c79dde51177c9121f897a1f9832c19c207709c27c6875cec1a63189c
                                                                                    • Instruction Fuzzy Hash: D671E611A0D6C28DEB11AB65A80027A7BA5EF79BC4F254175DAAD433E1DF2CE14CE708
                                                                                    Function 00007FF8F8D81F7C Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1547948807.00007FF8F8D81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8D80000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1547920923.00007FF8F8D80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548065226.00007FF8F8D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548094834.00007FF8F8D84000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548122523.00007FF8F8D85000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff8f8d80000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 313767242-0
                                                                                    • Opcode ID: e8d89c3167ac6d4f2107b00c51bbd94c1710c83bd6de03720e4f50e697011310
                                                                                    • Instruction ID: 9c53c132acb1b28955997a8850e455e9d1e8c918b8ff5a9bec29bcc14a49642f
                                                                                    • Opcode Fuzzy Hash: e8d89c3167ac6d4f2107b00c51bbd94c1710c83bd6de03720e4f50e697011310
                                                                                    • Instruction Fuzzy Hash: 90316D72A08B818AEB64AFA0E8407ED7364FB94784F54443ADA5E47AD8DF3CC24CD714
                                                                                    Function 00007FF8F8D81000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1547948807.00007FF8F8D81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8D80000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1547920923.00007FF8F8D80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548065226.00007FF8F8D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548094834.00007FF8F8D84000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548122523.00007FF8F8D85000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff8f8d80000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                    • String ID: GetProcessHeaps$HeapWalk
                                                                                    • API String ID: 2238633743-2649802218
                                                                                    • Opcode ID: b948e826b13fef7b83f270b7b7362ffd5d36ce337cc988f29b4ae0f2f752308c
                                                                                    • Instruction ID: 6ad02150f66771c7d6a03bb6a89e63644e7dbb474f16748a65a755b2cc48c7c5
                                                                                    • Opcode Fuzzy Hash: b948e826b13fef7b83f270b7b7362ffd5d36ce337cc988f29b4ae0f2f752308c
                                                                                    • Instruction Fuzzy Hash: D3415D2590E2D28CE312672568609BA3FB15F76AC9F2901B6D5FD433D2CB1C924CF728
                                                                                    Function 00007FF8F8D81670 Relevance: 13.7, APIs: 9, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1547948807.00007FF8F8D81000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8F8D80000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1547920923.00007FF8F8D80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548065226.00007FF8F8D83000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548094834.00007FF8F8D84000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1548122523.00007FF8F8D85000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff8f8d80000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                    • String ID:
                                                                                    • API String ID: 349153199-0
                                                                                    • Opcode ID: 341bbf03795bde3286466d6455dac96efe4660485df814d63a2408d3a6a1e4f2
                                                                                    • Instruction ID: 88cd5c003aa4f8a1eced296450dc817ca81dc132149ef806af3457cbaad81e8d
                                                                                    • Opcode Fuzzy Hash: 341bbf03795bde3286466d6455dac96efe4660485df814d63a2408d3a6a1e4f2
                                                                                    • Instruction Fuzzy Hash: 7681AD61E0C2438EFF54BB2698412B96299AFA5BC0F384135D96D477D6DF2CE80DE708

                                                                                    Execution Graph

                                                                                    Execution Coverage:12.3%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:160
                                                                                    Total number of Limit Nodes:13
                                                                                    execution_graph 32463 1580848 32464 1580851 32463->32464 32469 1582159 32463->32469 32474 15869d0 32464->32474 32479 1586a00 32464->32479 32465 1580865 32470 158217d 32469->32470 32484 1582258 32470->32484 32488 1582268 32470->32488 32475 1586a0f 32474->32475 32496 158c13a 32475->32496 32502 158c140 32475->32502 32476 1586aa7 32476->32465 32480 1586a0f 32479->32480 32482 158c13a 3 API calls 32480->32482 32483 158c140 3 API calls 32480->32483 32481 1586aa7 32481->32465 32482->32481 32483->32481 32486 1582268 32484->32486 32485 158236c 32485->32485 32486->32485 32492 1581944 32486->32492 32490 158228f 32488->32490 32489 158236c 32489->32489 32490->32489 32491 1581944 CreateActCtxA 32490->32491 32491->32489 32493 15832f8 CreateActCtxA 32492->32493 32495 15833bb 32493->32495 32497 158c140 32496->32497 32498 158c1b2 KiUserExceptionDispatcher 32497->32498 32499 158c1be 32497->32499 32508 158d458 32498->32508 32512 158d224 32498->32512 32499->32476 32503 158c159 32502->32503 32504 158c1b2 KiUserExceptionDispatcher 32503->32504 32505 158c1be 32503->32505 32506 158d458 LdrInitializeThunk 32504->32506 32507 158d224 LdrInitializeThunk 32504->32507 32505->32476 32506->32505 32507->32505 32509 158d478 32508->32509 32510 158d577 LdrInitializeThunk 32509->32510 32511 158d573 32509->32511 32510->32511 32513 158d458 32512->32513 32514 158d577 LdrInitializeThunk 32513->32514 32515 158d573 32513->32515 32514->32515 32516 6b31e60 32517 6b31ea2 32516->32517 32519 6b31ea9 32516->32519 32518 6b31efa CallWindowProcW 32517->32518 32517->32519 32518->32519 32520 6b34110 32521 6b34418 32520->32521 32522 6b34138 32520->32522 32523 6b34141 32522->32523 32526 6b3353c 32522->32526 32525 6b34164 32527 6b33547 32526->32527 32528 6b3445b 32527->32528 32530 6b33558 32527->32530 32528->32525 32531 6b34490 OleInitialize 32530->32531 32532 6b344f4 32531->32532 32532->32528 32533 69e6720 32534 69e6766 32533->32534 32538 69e68f2 32534->32538 32543 69e6900 32534->32543 32535 69e6853 32539 69e68fb 32538->32539 32542 69e6897 32538->32542 32546 69e6544 32539->32546 32542->32535 32544 69e692e 32543->32544 32545 69e6544 DuplicateHandle 32543->32545 32544->32535 32545->32544 32547 69e6968 DuplicateHandle 32546->32547 32549 69e692e 32547->32549 32549->32535 32550 69e8360 32551 69e8388 32550->32551 32553 69e83b0 32551->32553 32554 69e7b68 32551->32554 32555 69e7b73 32554->32555 32559 69ecfe2 32555->32559 32568 69ecff0 32555->32568 32556 69e8459 32556->32553 32561 69ed021 32559->32561 32562 69ed120 32559->32562 32560 69ed02d 32560->32556 32561->32560 32577 69ed268 32561->32577 32581 69ed259 32561->32581 32562->32556 32563 69ed06c 32586 69ee95a 32563->32586 32595 69ee968 32563->32595 32570 69ed021 32568->32570 32572 69ed120 32568->32572 32569 69ed02d 32569->32556 32570->32569 32575 69ed268 GetModuleHandleW 32570->32575 32576 69ed259 GetModuleHandleW 32570->32576 32571 69ed06c 32573 69ee95a 2 API calls 32571->32573 32574 69ee968 2 API calls 32571->32574 32572->32556 32573->32572 32574->32572 32575->32571 32576->32571 32604 69ed6b8 32577->32604 32611 69ed6a8 32577->32611 32578 69ed272 32578->32563 32582 69ed268 32581->32582 32584 69ed6b8 GetModuleHandleW 32582->32584 32585 69ed6a8 GetModuleHandleW 32582->32585 32583 69ed272 32583->32563 32584->32583 32585->32583 32587 69ee993 32586->32587 32628 69eeeb0 32587->32628 32588 69eea16 32589 69eea42 32588->32589 32590 69ebc34 GetModuleHandleW 32588->32590 32589->32589 32591 69eea86 32590->32591 32593 69ef830 CreateWindowExW 32591->32593 32594 69ef840 CreateWindowExW 32591->32594 32593->32589 32594->32589 32596 69ee993 32595->32596 32601 69eeeb0 GetModuleHandleW 32596->32601 32597 69eea16 32598 69ebc34 GetModuleHandleW 32597->32598 32600 69eea42 32597->32600 32599 69eea86 32598->32599 32653 69ef830 32599->32653 32657 69ef840 32599->32657 32601->32597 32605 69ed6c9 32604->32605 32608 69ed6e4 32604->32608 32618 69ebc34 32605->32618 32608->32578 32612 69ed6b8 32611->32612 32613 69ebc34 GetModuleHandleW 32612->32613 32614 69ed6e4 32612->32614 32615 69ed6d4 32613->32615 32614->32578 32615->32614 32616 69ed94a GetModuleHandleW 32615->32616 32617 69ed950 GetModuleHandleW 32615->32617 32616->32614 32617->32614 32619 69ed8a8 GetModuleHandleW 32618->32619 32621 69ed6d4 32619->32621 32621->32608 32622 69ed94a 32621->32622 32625 69ed950 32621->32625 32623 69ed964 32622->32623 32624 69ebc34 GetModuleHandleW 32622->32624 32623->32608 32624->32623 32626 69ebc34 GetModuleHandleW 32625->32626 32627 69ed964 32626->32627 32627->32608 32629 69eeeed 32628->32629 32630 69eef6e 32629->32630 32633 69ef030 32629->32633 32643 69ef020 32629->32643 32634 69ef045 32633->32634 32635 69ebc34 GetModuleHandleW 32634->32635 32636 69ef069 32634->32636 32635->32636 32637 69ebc34 GetModuleHandleW 32636->32637 32638 69ef225 32636->32638 32639 69ef1ab 32637->32639 32638->32630 32639->32638 32640 69ebc34 GetModuleHandleW 32639->32640 32641 69ef1f9 32640->32641 32641->32638 32642 69ebc34 GetModuleHandleW 32641->32642 32642->32638 32644 69ef030 32643->32644 32645 69ebc34 GetModuleHandleW 32644->32645 32646 69ef069 32644->32646 32645->32646 32647 69ebc34 GetModuleHandleW 32646->32647 32652 69ef225 32646->32652 32648 69ef1ab 32647->32648 32649 69ebc34 GetModuleHandleW 32648->32649 32648->32652 32650 69ef1f9 32649->32650 32651 69ebc34 GetModuleHandleW 32650->32651 32650->32652 32651->32652 32652->32630 32654 69ef815 32653->32654 32654->32653 32660 69ed454 32654->32660 32658 69ef875 32657->32658 32659 69ed454 CreateWindowExW 32657->32659 32658->32600 32659->32658 32661 69ef890 CreateWindowExW 32660->32661 32663 69ef9b4 32661->32663

                                                                                    Executed Functions

                                                                                    Function 0158D458 Relevance: 1.8, APIs: 1, Instructions: 276libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 524 158d458-158d47a 526 158d47c-158d482 524->526 527 158d492-158d4c9 call 1588ccc 524->527 528 158d484 526->528 529 158d486-158d488 526->529 535 158d4cb-158d4d1 527->535 536 158d4e1-158d571 call 158a854 527->536 528->527 529->527 537 158d4d3 535->537 538 158d4d5-158d4d7 535->538 552 158d573-158d575 536->552 553 158d577-158d580 LdrInitializeThunk 536->553 537->536 538->536 554 158d583-158d58f 552->554 553->554 556 158d59d 554->556 557 158d591-158d59b 554->557 558 158d5a2-158d5a4 556->558 557->558 559 158d5ae-158d5bd 558->559 560 158d5a6-158d5ac 558->560 564 158d5bf-158d5c1 559->564 565 158d5c3-158d5c9 559->565 561 158d5d9-158d5f3 560->561 568 158d5f9-158d5ff 561->568 569 158d5f5-158d5f7 561->569 566 158d5cf-158d5d3 564->566 565->566 566->561 570 158d605-158d611 568->570 569->570 572 158d61f 570->572 573 158d613-158d61d 570->573 574 158d624-158d626 572->574 573->574 575 158d628-158d62e 574->575 576 158d630-158d63f 574->576 577 158d65b-158d675 575->577 580 158d641-158d643 576->580 581 158d645-158d64b 576->581 584 158d67b-158d681 577->584 585 158d677-158d679 577->585 582 158d651-158d655 580->582 581->582 582->577 586 158d687-158d693 584->586 585->586 588 158d6a1 586->588 589 158d695-158d69f 586->589 590 158d6a6-158d6a8 588->590 589->590 591 158d6aa-158d6b0 590->591 592 158d6b2-158d6c1 590->592 593 158d6dd-158d6f7 591->593 595 158d6c3-158d6c5 592->595 596 158d6c7-158d6cd 592->596 600 158d6f9-158d6fb 593->600 601 158d6fd-158d703 593->601 598 158d6d3-158d6d7 595->598 596->598 598->593 602 158d709-158d715 600->602 601->602 604 158d723 602->604 605 158d717-158d721 602->605 606 158d728-158d72a 604->606 605->606 607 158d72c-158d732 606->607 608 158d734-158d743 606->608 609 158d75f-158d783 607->609 612 158d749-158d74f 608->612 613 158d745-158d747 608->613 616 158d78e 609->616 617 158d785 609->617 615 158d755-158d759 612->615 613->615 615->609 618 158d78f 616->618 617->616 618->618
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2613751870.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_1580000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: dcc26e08bbf63f7943a03114a0dc90300eff63373b8c28cbc198e59829099b09
                                                                                    • Instruction ID: b25f7a5c75b225eefef7b09df95824a0055050f78db71d12ec17e550ccdec5c2
                                                                                    • Opcode Fuzzy Hash: dcc26e08bbf63f7943a03114a0dc90300eff63373b8c28cbc198e59829099b09
                                                                                    • Instruction Fuzzy Hash: FDA138343102058FDB48EF6AD494A6E37F2BF89654B118469E906EF3B5EB75EC02CB50
                                                                                    Function 069EF884 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 906 69ef884-69ef8f6 907 69ef8f8-69ef8fe 906->907 908 69ef901-69ef908 906->908 907->908 909 69ef90a-69ef910 908->909 910 69ef913-69ef94b 908->910 909->910 911 69ef953-69ef9b2 CreateWindowExW 910->911 912 69ef9bb-69ef9f3 911->912 913 69ef9b4-69ef9ba 911->913 917 69ef9f5-69ef9f8 912->917 918 69efa00 912->918 913->912 917->918 919 69efa01 918->919 919->919
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069EF9A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 8c7fea003253d6934efa49af4c9035e09fce31ec5d4107088c8ca07080599615
                                                                                    • Instruction ID: c3ce0abeb353e209407cc0560c12781b610efab91b63af054d8d8de251b04c1c
                                                                                    • Opcode Fuzzy Hash: 8c7fea003253d6934efa49af4c9035e09fce31ec5d4107088c8ca07080599615
                                                                                    • Instruction Fuzzy Hash: 7A51C0B1D10348AFDB15CF99D884ADEBFB5BF88310F24852AE819AB210D7759945CF90
                                                                                    Function 069ED454 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 920 69ed454-69ef8f6 922 69ef8f8-69ef8fe 920->922 923 69ef901-69ef908 920->923 922->923 924 69ef90a-69ef910 923->924 925 69ef913-69ef9b2 CreateWindowExW 923->925 924->925 927 69ef9bb-69ef9f3 925->927 928 69ef9b4-69ef9ba 925->928 932 69ef9f5-69ef9f8 927->932 933 69efa00 927->933 928->927 932->933 934 69efa01 933->934 934->934
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069EF9A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 73fe84ee714fca0e648318ec430af96dccfd041e3f133dc990bcae23c9565450
                                                                                    • Instruction ID: d935a0bc6520deb3e039cb2bf4a32d7018492ce752262f49f145bb1dfcd17dbb
                                                                                    • Opcode Fuzzy Hash: 73fe84ee714fca0e648318ec430af96dccfd041e3f133dc990bcae23c9565450
                                                                                    • Instruction Fuzzy Hash: 4C51B0B1D10348AFDB15CF9AD884ADEBBF5FF88310F64812AE819AB210D7759945CF90
                                                                                    Function 0158C140 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 935 158c140-158c1a1 938 158c1a3 935->938 939 158c1a5-158c1ac 935->939 938->939 940 158c1b2 KiUserExceptionDispatcher 938->940 939->940 941 158c263-158c26a 939->941 958 158c1b8 call 158d458 940->958 959 158c1b8 call 158d224 940->959 942 158c1be-158c1d1 944 158c1e8-158c1f9 942->944 945 158c1d3-158c1e6 942->945 945->944 947 158c1fa-158c205 945->947 947->941 948 158c207-158c20f 947->948 949 158c26b-158c291 948->949 950 158c211-158c248 948->950 956 158c258-158c261 950->956 957 158c24a-158c257 950->957 956->941 956->948 958->942 959->942
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 0158C1B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2613751870.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_1580000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 1a04acdb733512b5f7c2735cde18cbe5ff3ee69f00fc670b5595e3f913872369
                                                                                    • Instruction ID: 176f09a6c5488f3e157f602cb8b9b9c7aa15b075a66c7aaab462a0b92784da79
                                                                                    • Opcode Fuzzy Hash: 1a04acdb733512b5f7c2735cde18cbe5ff3ee69f00fc670b5595e3f913872369
                                                                                    • Instruction Fuzzy Hash: 13415B35E053098FDB01EF68E8806DEBFB1FB85320F1145AAC155EB295DB349C26CBA0
                                                                                    Function 069E6A27 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 960 69e6a27-69e6b56
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,069E692E,?,?,?,?,?), ref: 069E69EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: cbe6d322d86c8dc88d7d0df7a6c491d3b8c86a01220101568669ad17e3e001bf
                                                                                    • Instruction ID: 8ef5b65acaeb6b20e54e770067d109356830f126b2c94797c0e09622b4c10aae
                                                                                    • Opcode Fuzzy Hash: cbe6d322d86c8dc88d7d0df7a6c491d3b8c86a01220101568669ad17e3e001bf
                                                                                    • Instruction Fuzzy Hash: DA416E34A45344DFE705AF64E456BBE7FFAEB48321F148029EA119B785CBB44981CF20
                                                                                    Function 01581944 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 975 1581944-15833b9 CreateActCtxA 978 15833bb-15833c1 975->978 979 15833c2-158341c 975->979 978->979 986 158342b-158342f 979->986 987 158341e-1583421 979->987 988 1583440 986->988 989 1583431-158343d 986->989 987->986 991 1583441 988->991 989->988 991->991
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 015833A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2613751870.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_1580000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: d05960a0108f4b524a0b5e56f55ac8b168492f19137f5c257b2f5091de103630
                                                                                    • Instruction ID: 51da95322b71b79251dde606a68f974c40dd5057e8bc13fa19139c84c19e1de1
                                                                                    • Opcode Fuzzy Hash: d05960a0108f4b524a0b5e56f55ac8b168492f19137f5c257b2f5091de103630
                                                                                    • Instruction Fuzzy Hash: E241BEB5C00719CBDB25DFA9D844B9EBBF5BF48704F20806AD408AB251DBB56946CFA0
                                                                                    Function 015832EE Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 992 15832ee-15833b9 CreateActCtxA 994 15833bb-15833c1 992->994 995 15833c2-158341c 992->995 994->995 1002 158342b-158342f 995->1002 1003 158341e-1583421 995->1003 1004 1583440 1002->1004 1005 1583431-158343d 1002->1005 1003->1002 1007 1583441 1004->1007 1005->1004 1007->1007
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 015833A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2613751870.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_1580000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 7e7af0bbdc0d6794a272e68bdf988be60ac722f49dec2fcf445f90f80cb64735
                                                                                    • Instruction ID: 65704633979ef6216775029cb222ac0bb8430f66c76db068caa7cf9d7acdd5ba
                                                                                    • Opcode Fuzzy Hash: 7e7af0bbdc0d6794a272e68bdf988be60ac722f49dec2fcf445f90f80cb64735
                                                                                    • Instruction Fuzzy Hash: 9841DDB5C00719CBEB25DFA9C944BDEBBF5BF48704F20806AD408AB251DBB56946CF90
                                                                                    Function 06B31E60 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1008 6b31e60-6b31e9c 1009 6b31ea2-6b31ea7 1008->1009 1010 6b31f4c-6b31f6c 1008->1010 1011 6b31efa-6b31f32 CallWindowProcW 1009->1011 1012 6b31ea9-6b31ee0 1009->1012 1017 6b31f6f-6b31f7c 1010->1017 1013 6b31f34-6b31f3a 1011->1013 1014 6b31f3b-6b31f4a 1011->1014 1018 6b31ee2-6b31ee8 1012->1018 1019 6b31ee9-6b31ef8 1012->1019 1013->1014 1014->1017 1018->1019 1019->1017
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06B31F21
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621801708.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6b30000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 60ec904a28c0770013151577c574a4f64ae7c1f623f51f79c275ea956ce4082d
                                                                                    • Instruction ID: e7843364b526917e6618f68fa7e61b47c990e38824c3adea63d9c230c421ddba
                                                                                    • Opcode Fuzzy Hash: 60ec904a28c0770013151577c574a4f64ae7c1f623f51f79c275ea956ce4082d
                                                                                    • Instruction Fuzzy Hash: 22413AB5A103158FDB54CF99C448BAABBF9FF88314F24C499E519AB321D371A841CFA0
                                                                                    Function 069E6962 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1022 69e6962-69e69bc 1024 69e69bf-69e69fc DuplicateHandle 1022->1024 1025 69e69fe-69e6a04 1024->1025 1026 69e6a05-69e6a22 1024->1026 1025->1026
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,069E692E,?,?,?,?,?), ref: 069E69EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: dbe24ffabe3afa5ae2e5a9f4cd3078b6a3f4c79aaac568ffa542a48c27270485
                                                                                    • Instruction ID: 1e723882b1fd26b97546ce608cfd8c081900138ae3bba78ea5b3184bd186b0d2
                                                                                    • Opcode Fuzzy Hash: dbe24ffabe3afa5ae2e5a9f4cd3078b6a3f4c79aaac568ffa542a48c27270485
                                                                                    • Instruction Fuzzy Hash: 7A2119B5D002489FDB10CF9AD984ADEBBF9FB48310F10801AE914A7350D374A940CFA5
                                                                                    Function 069E6544 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1029 69e6544-69e69fc DuplicateHandle 1032 69e69fe-69e6a04 1029->1032 1033 69e6a05-69e6a22 1029->1033 1032->1033
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,069E692E,?,?,?,?,?), ref: 069E69EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 37933353392998a54fa9f41b511ab556e344bf847a012df4a8f08f5c96eb226a
                                                                                    • Instruction ID: a847ee35a28756413e22a154271f2934835356bee5e7b46440f10e5e0e3c93c0
                                                                                    • Opcode Fuzzy Hash: 37933353392998a54fa9f41b511ab556e344bf847a012df4a8f08f5c96eb226a
                                                                                    • Instruction Fuzzy Hash: 2C21E7B59003489FDB11CF99D584ADEFBF4FB48310F14845AE914A7350D374A940CFA5
                                                                                    Function 0158C13A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1036 158c13a-158c1a1 1040 158c1a3 1036->1040 1041 158c1a5-158c1ac 1036->1041 1040->1041 1042 158c1b2 KiUserExceptionDispatcher 1040->1042 1041->1042 1043 158c263-158c26a 1041->1043 1060 158c1b8 call 158d458 1042->1060 1061 158c1b8 call 158d224 1042->1061 1044 158c1be-158c1d1 1046 158c1e8-158c1f9 1044->1046 1047 158c1d3-158c1e6 1044->1047 1047->1046 1049 158c1fa-158c205 1047->1049 1049->1043 1050 158c207-158c20f 1049->1050 1051 158c26b-158c291 1050->1051 1052 158c211-158c248 1050->1052 1058 158c258-158c261 1052->1058 1059 158c24a-158c257 1052->1059 1058->1043 1058->1050 1060->1044 1061->1044
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 0158C1B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2613751870.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_1580000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser
                                                                                    • String ID:
                                                                                    • API String ID: 6842923-0
                                                                                    • Opcode ID: 6f42df9bcafaf9d8b29b7b90760f1675e491530819c48c45e6a22d17a70dd0bc
                                                                                    • Instruction ID: 5d7923956faf1abecae0f512f96ed23a1df04b95825b79bcd4ef4c0a6174556b
                                                                                    • Opcode Fuzzy Hash: 6f42df9bcafaf9d8b29b7b90760f1675e491530819c48c45e6a22d17a70dd0bc
                                                                                    • Instruction Fuzzy Hash: C8110B31E10209CBDB04EF68E9855EEBFB1FB84320F510525D515B73D8EB305926CBA0
                                                                                    Function 069EBC34 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1062 69ebc34-69ed8e8 1064 69ed8ea-69ed8ed 1062->1064 1065 69ed8f0-69ed91b GetModuleHandleW 1062->1065 1064->1065 1066 69ed91d-69ed923 1065->1066 1067 69ed924-69ed938 1065->1067 1066->1067
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,069ED6D4), ref: 069ED90E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: c85ad72772492577fcc2ed5960ad5e35787d06e15a16d2e4de6b9787b7f9e9d7
                                                                                    • Instruction ID: 2e3e119f2a99fab8c0b3f627ab6cf3f8a65307b3945d135749dd83f40bba08c9
                                                                                    • Opcode Fuzzy Hash: c85ad72772492577fcc2ed5960ad5e35787d06e15a16d2e4de6b9787b7f9e9d7
                                                                                    • Instruction Fuzzy Hash: DD1102B6C003498FDB20DF9AD844BDEFBF4EF48214F10846AD829A7600D375A545CFA5
                                                                                    Function 069ED8A2 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1069 69ed8a2-69ed8e8 1071 69ed8ea-69ed8ed 1069->1071 1072 69ed8f0-69ed91b GetModuleHandleW 1069->1072 1071->1072 1073 69ed91d-69ed923 1072->1073 1074 69ed924-69ed938 1072->1074 1073->1074
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,069ED6D4), ref: 069ED90E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621596982.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_69e0000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: e25fdfd4888f070c421789d020351261b708d4c2e9ee54466f8454ecda9dbaf0
                                                                                    • Instruction ID: 92d02325faaf234f38dbd6a108f37550ccdda9735bfd6d263df1dcce3c4a24ac
                                                                                    • Opcode Fuzzy Hash: e25fdfd4888f070c421789d020351261b708d4c2e9ee54466f8454ecda9dbaf0
                                                                                    • Instruction Fuzzy Hash: 501102B6C002498FCB11DF9AD844BDEFBF4EF48324F10842AD819A7600C379A645CFA5
                                                                                    Function 06B34488 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1076 6b34488-6b3448e 1077 6b34490-6b344f2 OleInitialize 1076->1077 1078 6b344f4-6b344fa 1077->1078 1079 6b344fb-6b34518 1077->1079 1078->1079
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 06B344E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621801708.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6b30000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: e1102289c8dd9516f1c4f35a38155f195ca3a53fb818964689f0a38770dd44a2
                                                                                    • Instruction ID: 4a09ab4ea62fbb66c000c7a9bcde6b3ecd16e00e574003efe3ea59ef21713604
                                                                                    • Opcode Fuzzy Hash: e1102289c8dd9516f1c4f35a38155f195ca3a53fb818964689f0a38770dd44a2
                                                                                    • Instruction Fuzzy Hash: 561115B5D003498FDB20DFAAD545BDEBBF8EB48324F108469E559A7200C774A644CFA9
                                                                                    Function 06B33558 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1082 6b33558-6b344f2 OleInitialize 1084 6b344f4-6b344fa 1082->1084 1085 6b344fb-6b34518 1082->1085 1084->1085
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 06B344E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2621801708.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6b30000_aspnet_compiler.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 05ac374d70df605fdc608adb0db373aa14eeadd4fbcd827233dea1fc7b1a936f
                                                                                    • Instruction ID: cd40e7c29d404c36726874c6406eaa1526ccddb9da2e5fb2668238ba430a8c4f
                                                                                    • Opcode Fuzzy Hash: 05ac374d70df605fdc608adb0db373aa14eeadd4fbcd827233dea1fc7b1a936f
                                                                                    • Instruction Fuzzy Hash: 3E1115B59043488FDB60DF9AD545BDEFBF4EB48324F108469D519A7200C774A944CFA5